Malware
Transcription
Malware
Tools Information Assurance Tools Report First Edition September 17, 2009 Malware EX Distribution Statement A S E R VICE C E L L E NC E I NF N I N O R MA T IO Approved for public release; distribution is unlimited. Form Approved OMB No. 0704-0188 REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. 1. REPORT DATE (DD-MM-YYYY) D 2. REPORT TYPE 3. DATES COVERED (From - To) 17-09-2009 Report 17-09-2009 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Information Assurance Technology Analysis Center (IATAC) Tools Report on Anti-Malware Tools Report on 5b. GRANT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER SPO700-98-D-4002 5c. PROGRAM ELEMENT NUMBER Karen Mercedes Goertzel 5e. TASK NUMBER N/A Goertzel, Karen Mercedes; Winograd, Theodore 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER AND ADDRESS(ES) IATAC 13200 Woodland Park Road Herndon, VA 20171 9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) Defense Technical Information Center 8725 John J. Kingman Road, Suite 0944 Fort Belvoir, VA 22060-6218 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION / AVAILABILITY STATEMENT Distribution Statement A. Approved for public release; distribution is unlimited. 13. SUPPLEMENTARY NOTES IATAC is operated by Booz Allen Hamilton, 8283 Greensboro Drive, McLean, VA 22102 14. ABSTRACT This Information Assurance Technology Analysis Center (IATAC) tools report provides a brief background on what malware is, the types of malware and how they operate, recent trends in malware capabilities, behaviors, and incidents, and what makes systems vulnerable to malware infection. The report also discusses the types of countermeasures used to fight malware, and the technological capabilities employed by those countermeasures. The report goes on to provide a summary of the characteristics and capabilities of 150+ publicly-available anti-malware tools (commercial, open source, and free). Finally, the report identifies a number of suggested resources for learning more about malware and anti-malware technology and tools and for obtaining guidance on how to effectively mitigate malware risks throughout the information technology life cycle. 15. SUBJECT TERMS IATAC Collection, malware, malicious code, virus, worm, Trojan horse, Trojan, botnet, spyware, adware, rootkit, scanner, quarantine, heuristic, signature-based 16. SECURITY CLASSIFICATION OF: a. REPORT b. ABSTRACT c. THIS PAGE UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED 17. LIMITATION OF ABSTRACT 18. NUMBER OF PAGES 19a. NAME OF RESPONSIBLE PERSON None 230 19b. TELEPHONE NUMBER (include area Tyler, Gene code) 703-984-0775 Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std. Z39.18 About the Authors XXKaren Mercedes Goertzel, CISSP, [1] leads Booz Allen Hamilton’s Security Research Service. She is a subject matter expert in software assurance, cyber security, and information assurance. She was lead author of Software Security Assurance: A State-of-the-Art Report (July 2007) and The Insider Threat to Information Systems (October 2008), and contributing author to Measuring Cyber Security and Information Assurance: A State of the Art Report (May 2009), published by the Defense Technical Information Center (DTIC). Ms. Goertzel has advised the Naval Sea Systems Command (NAVSEA) and the Department of Homeland Security (DHS) Software Assurance Program; for the latter, she was lead author of Enhancing the Development Life Cycle to Produce Secure Software (October 2008). Ms. Goertzel was also a contributing author of National Security Agency’s (NSA) Guidance for Addressing Malicious Code Risk, and chief technologist of the Defense Information Systems Agency (DISA) Application Security Program, for which she co-authored a number of secure application developer guides. She contributed to several National Institute of Standards and Technology (NIST) Special Publications (SP), including SP 800-95, Guide to Secure Web Services. She also tracks emerging technologies, trends, and research in information assurance, cyber security, software assurance, information quality, and privacy. Before joining Booz Allen (as an employee of what is now BAE Systems) Ms. Goertzel was a requirements analyst and architect of highassurance trusted systems and cross-domain solutions for defense and civilian establishments in the United States (U.S.), the North Atlantic Treaty Organization (NATO), Canada, and Australia. XXTheodore Winograd, CISSP, has been involved in software security assurance and information assurance for over five years, particularly serviceoriented architecture security and application security. He has supported the DHS Software Assurance Program, the DISA Application Security Program, and the DISA Net-Centric Enterprise Services project. Mr. Winograd has also supported security engineering efforts for multiple government organizations. Mr. Winograd has served as lead author for multiple NIST SPs, including SP 800-95, Guide to Secure Web Services, and has served as a contributing author for state of the art reports for the DTIC’s Information Assurance Technology Analysis Center (IATAC). References 1 Certified Information System Security Professional IA Tools Report i Table of Contents About the Authors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Section 1 u Introduction. . . . . . . . . . . . . 1 1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Report Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Section 2 u Malware Overview. . . . . . . 7 2.1 Categorization of Malware . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Vulnerabilities Commonly Exploited by Malware. . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3 Trends in Malware Incidents. . . . . . . . . . . . . . . . . . . . . 16 2.4 Malware Perpetrators and Their Motivations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Section 3 u nti-Malware A Countermeasures. . . . . . . 19 3.1 Technology-Based Countermeasures. . . . . . . . . . . . . 19 3.1.1 Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.1.1 Signature-Matching. . . . . . . . . . . . . . . 19 3.1.1.1.1 Data Mining to Improve Signature Generation and Accuracy . . . . . . . . . . . 20 3.1.1.1.2 Operational Threat Discovery to Augment Signature-Based Detection. . . . . . . . . . . . . . . 20 3.1.1.1.3 Emerging improvements to behavior-based detection. . 20 3.1.1.2 Behavior-Based Detection . . . . . . . . . 20 3.1.1.2.1 Feature Extraction in Support of Behavior-Based Malware Detection. . . . . . .21 3.1.1.2.2 Malicious Property Detection. . . . . . . . . . . . . . . 21 3.1.1.3 Anomaly-Based Detection . . . . . . . . . 21 3.1.1.3.1 Heuristic scanning for code abnormalities indicating malware. . . . . . . 21 3.1.1.4 Detection of Indirect Malware Indicators. . . . . . 22 3.1.2 Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1.2.1 Quarantine. . . . . . . . . . . . . . . . . . . . . . . 23 3.1.2.2 Constrained Execution Environments. . . . . . . . . . . . . . . . . . . . . 23 3.1.3 Eradication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2 Integrating Anti-Malware Countermeasures into IT Security Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Section 4 u Anti-Malware Tools . . . . . 27 4.1 Classification of Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.2 Tool Selection Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.3 Descriptions of Current Anti-Malware Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.3.1 Malware Detection and Removal Tools. . . . . . 29 4.3.1.1 “Broad Spectrum” Anti-Malware Tools . . . . . . . . . . . . . . . 29 Agnitum® Outpost Antivirus Pro . . . . . . . . . . . . . . . . . . . . . 30 ALWIL Software avast! anti-virus Professional Edition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Ashampoo® AntiSpyware 2 . . . . . . . . . . . . . . . . . . . . . . . . . 32 Authentium® Command Anti-Virus v5. . . . . . . . . . . . . . . . . 33 AVG 8.5 Internet Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Avira AntiVir® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 AxBx Software Solutions VirusKeeper 2009. . . . . . . . . . . . 36 Beijing Rising International Software Rising Antivirus 2009. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 BitDefender AntiVirus 2009, GameSafe, and Mobile Security v2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 CA [9] Anti-Virus Plus Anti-Spyware 2009. . . . . . . . . . . . . . 40 Central Command Vexira® Antivirus. . . . . . . . . . . . . . . . . . 41 ClamWin Free Antivirus 0.95.1. . . . . . . . . . . . . . . . . . . . . . . . 42 Comodo Security Solutions BOClean. . . . . . . . . . . . . . . . . . 43 CurioLab Exterminate It!. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Doctor Web Dr.Web Anti-virus. . . . . . . . . . . . . . . . . . . . . . . 45 DriveSentry SecuritySuite and GoAnywhere. . . . . . . . . . . 46 Emsi Software A-squared . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Emsi Software Mamutu 1.7.0.27 . . . . . . . . . . . . . . . . . . . . . . 48 ESET® NOD32® Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Filseclab Twister Anti-TrojanVirus . . . . . . . . . . . . . . . . . . . . 50 Finport Technologies Simple Antivirus v2.1 and Corporate v2.4 Beta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 IA Tools Report iii FireEye® 4200 Web Malware & Botnet Security System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 F-Secure Anti-Virus 2009. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Greatis Software UnHackMe 5.0 . . . . . . . . . . . . . . . . . . . . . 54 HAURI ViRobot Desktop 5.5, GatewayWall, Exchange 3.0, Windows Server 3.5, SDK . . . . . . . . . . . . . . 55 iolo® AntiVirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Jiangmin Antivirus Software KV2009. . . . . . . . . . . . . . . . . . 57 K7 Computing AntiVirus 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Kaspersky® Anti-Virus 2009 . . . . . . . . . . . . . . . . . . . . . . . . . 59 Lavasoft® Ad-Aware®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Lavasoft Anti-Virus Helix . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Malwarebytes® Anti-Malware 1.37. . . . . . . . . . . . . . . . . . . 62 Microsoft Forefront Client Security. . . . . . . . . . . . . . . . . . . 63 Microsoft Windows Malicious Software Removal Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 MicroWorld® Technologies eScan AntiVirus 9.0/10.0 and eScan for Linux 2.0 . . . . . . . . . . . . . 65 MIEL e-Security Labs Helios and Helios Lite. . . . . . . . . . . 66 MooSoft Development The Cleaner 2010 . . . . . . . . . . . . . . 67 NictaTech Software Digital Patrol . . . . . . . . . . . . . . . . . . . . 68 NETGATE Technologies Spy Emergency 2009 Version 6.0.405. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Norman Security Suite, Virus Control, and Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Norton® AntiVirus 2009 and Gaming Edition. . . . . . . . . . . 72 NovaShield Anti-Malware. . . . . . . . . . . . . . . . . . . . . . . . . . . 73 ParetoLogic AntiVirus PLUS 6.0 . . . . . . . . . . . . . . . . . . . . . . 74 ParetoLogic Anti-Spyware. . . . . . . . . . . . . . . . . . . . . . . . . . . 75 PCSecurityShield The Shield Deluxe 2009 . . . . . . . . . . . . . 76 PC Tools ThreatFire® 3 4.5.0 . . . . . . . . . . . . . . . . . . . . . . . . . 77 Prevx® 3.0 + Removal and + Real-time. . . . . . . . . . . . . . . . 78 Proland Software Protector Plus 2009 for Windows, Exchange Server, and NetWare Server. . . . . . . . . . . . . . . .79 Protea AntiVirus Tools for Lotus Domino 2.09.271. . . . . . . 80 Quick Heal Technologies AntiVirus Plus 2009 . . . . . . . . . . 81 Resplendence Software Projects SanityCheck 1.02. . . . . 82 Sagyn Solutions SysIntegrity. . . . . . . . . . . . . . . . . . . . . . . . . 83 Secure Resolutions Anti-CyberCrime 2009. . . . . . . . . . . . . 84 Security Stronghold Security Suite . . . . . . . . . . . . . . . . . . . 85 Smart PC Solutions 1-2-3 Spyware Free. . . . . . . . . . . . . . . 86 Sourcefire ClamAV 0.95 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 SRN Micro Systems Solo Antivirus . . . . . . . . . . . . . . . . . . . 88 Sunbelt Software VIPRE® Antivirus + Antispyware, Enterprise, SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Symantec® Endpoint Protection and AntiVirus. . . . . . . . . 90 iv IA Tools Report TrendMicro AntiVirus + AntiSpyware . . . . . . . . . . . . . . . . . 93 Trojan Remover 6.7.9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 TrustPort Antivirus 2009, USB Edition, U3 Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 VirusBuster®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Webroot® AntiVirus with AntiSpyware 6.1, AntiSpyware Corporate Edition 3.5 with AntiVirus . . . . . . 97 WenPoint HiddenFinder v1.5.3. . . . . . . . . . . . . . . . . . . . . . . . 98 Zemana AntiLogger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.3.1.2 Anti-Virus Tools . . . . . . . . . . . . . . . . . . . 100 AhnLab Mobile Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 AnVir Virus Destroyer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 ArcaBit ArcaVir® 2009 Antivirus Protection . . . . . . . . . . 103 Ashampoo AntiVirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Australian Projects Zondex Guard. . . . . . . . . . . . . . . . . . . 105 Beijing Rising International Software Rising PC Doctor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 BullGuard® Mobile Antivirus . . . . . . . . . . . . . . . . . . . . . . . 107 CA® Anti-Virus 2009. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Deerfield.com VisNetic® MailScan. . . . . . . . . . . . . . . . . . 109 DiamondCS WormGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . .110 e-Frontier Virus Killer Internet Security, Virus Killer Zero. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 FRISK Software International F-PROT® Antivirus v6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 G DATA® AntiVirus 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 GFI MailSecurity v.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Ikarus Security Software virus.utilities. . . . . . . . . . . . . . . 115 ISecSoft Anti-Trojan Elite. . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Liao Pecong’s USB Drive AntiVirus . . . . . . . . . . . . . . . . . . 117 Loaris Trojan Remover 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 118 McAfee® VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Mischel Internet Security TrojanHunter 5.1. . . . . . . . . . . 120 My Free Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 New Technology Wave Virus Chaser. . . . . . . . . . . . . . . . . 122 PC Tools AntiVirus 6.0.0.19. . . . . . . . . . . . . . . . . . . . . . . . . . 123 Smart PC Solutions Handy Antivirus . . . . . . . . . . . . . . . . . 124 VirusBlokAda Vba32. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Your-Soft Anti-Virus&Trojan. . . . . . . . . . . . . . . . . . . . . . . . . 126 Your-Soft Trojan Guarder 6.50 and Trojan Guarder Gold 7.74 . . . . . . . . . . . . . . . . . . . . . . . 127 ZoneAlarm® Antivirus 2009. . . . . . . . . . . . . . . . . . . . . . . . . 128 4.3.1.3 Anti-Spyware Tools. . . . . . . . . . . . . . . . 129 AdWareAlert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 AhnLab SpyZero 2007. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 CA Anti-Spyware 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Crawler Spyware Terminator. . . . . . . . . . . . . . . . . . . . . . . . 133 Enigma Software Group SpyHunter® v.3. . . . . . . . . . . . . 134 iS3 STOPzilla®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 ISecSoft Anti-Keylogger Elite v3.3.3. . . . . . . . . . . . . . . . . . 136 McAfee AntiSpyware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Microsoft Windows Defender. . . . . . . . . . . . . . . . . . . . . . . 138 Neuber Software Anti-Spy.Info. . . . . . . . . . . . . . . . . . . . . . 139 NoAdware 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 ParetoLogic XOFTspy® Portable Anti-Spyware, XoftSpySE Anti-Spyware. . . . . . . . . . . . . . . . . . . . . . . . . . . 141 PC Tools SpywareDoctor 6.0.1.441. . . . . . . . . . . . . . . . . . . 142 Rnsafe Spyware Cleaner 2009 2.03. . . . . . . . . . . . . . . . . . . 143 Safer Networking Spybot - Search & Destroy 1.6.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 SecureMac® MacScan® 2.6.1 . . . . . . . . . . . . . . . . . . . . . 145 Security Stronghold True Sword. . . . . . . . . . . . . . . . . . . . . 146 Sunbelt Software CounterSpy®, CounterSpy Enterprise, CounterSpy Gateway SDK. . . . . . . . . . . . . . . . 147 SuperAntiSpyware® Professional Edition. . . . . . . . . . . . 148 SystemSoftLab Spyware Process Detector. . . . . . . . . . . 149 TrendMicro Transaction Guard. . . . . . . . . . . . . . . . . . . . . . 150 Usec.at Nemesis Antispyware . . . . . . . . . . . . . . . . . . . . . . 151 Webroot Software AntiSpyware Corporate Edition 3.5 and Spy Sweeper® 6.1. . . . . . . . . . . . . . . . . . . 152 Your-Soft Anti-Virus&Spyware. . . . . . . . . . . . . . . . . . . . . . 153 4.3.1.4 Anti-Rootkit Tools . . . . . . . . . . . . . . . . 154 Andres Tarasco’s RKDetector v2.0. . . . . . . . . . . . . . . . . . . 155 Christian Hornung’s OS X Rootkit Hunter 0.2 . . . . . . . . . . 156 DiabloNova’s Rootkit Unhooker (RkU) . . . . . . . . . . . . . . . . 157 F-Secure BlackLight Rootkit Eliminator. . . . . . . . . . . . . . . 158 GMER v1.0.15.14972. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 iDefense HookExplorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 MANDIANT® Memoryze. . . . . . . . . . . . . . . . . . . . . . . . . . . 161 McAfee Rootkit Detective Beta . . . . . . . . . . . . . . . . . . . . . 162 Michael Boelen’s Rootkit Hunter 1.3.4. . . . . . . . . . . . . . . . 163 Microsoft Sysinternals RootkitRevealer v1.71. . . . . . . . . 164 Panda Security Anti-Rootkit v1.07 . . . . . . . . . . . . . . . . . . . 165 Pangeia Informatica chkrootkit. . . . . . . . . . . . . . . . . . . . . . 166 Sophos® Anti-Rootkit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 SysProt AntiRootkit v1.0.1.0. . . . . . . . . . . . . . . . . . . . . . . . . 168 TrendMicro RootkitBuster v2.52 Beta . . . . . . . . . . . . . . . . 169 Usec.at Radix Rootkit Detector. . . . . . . . . . . . . . . . . . . . . . 170 Xfocus IceSword 1.22. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 zeppoo 0.0.4 beta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 4.3.1.5 Anti-Bot, Anti-Botnet, and Anti-Zombie Tools. . . . . . . . . . . . 173 Damballa® Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 SRI International BotHunter. . . . . . . . . . . . . . . . . . . . . . . . .175 TrendMicro RUBotted (Beta). . . . . . . . . . . . . . . . . . . . . . . . 176 4.3.2 Malware Prevention, Termination, and Constraint Tools. . . . . . . . . . . . . . . . . . . . . . . . . 177 Apocgraphy Security Bulldog. . . . . . . . . . . . . . . . . . . . . . . 178 Backfaces Process Master. . . . . . . . . . . . . . . . . . . . . . . . . 179 DiamondCS ProcessGuard. . . . . . . . . . . . . . . . . . . . . . . . . . 180 Leithauser Research Trojan Slayer . . . . . . . . . . . . . . . . . . 181 Mocana® NanoDefender®. . . . . . . . . . . . . . . . . . . . . . . . . 182 Security Stronghold Active Shield. . . . . . . . . . . . . . . . . . . 183 Softmedia Publishing SpyCop® Cloak. . . . . . . . . . . . . . . . 184 Usec.at Ushields Systemshields. . . . . . . . . . . . . . . . . . . . . 185 4.3.3 Malware Analysis Tools. . . . . . . . . . . . . . . . . . 186 DiamondCS Deep System Explorer . . . . . . . . . . . . . . . . . . 187 iDefense Malcode Analysis Pack. . . . . . . . . . . . . . . . . . . . 188 iDefense SysAnalyzer with ProcessAnalyzer. . . . . . . . . . 189 MANDIANT Red Curtain V1.0 . . . . . . . . . . . . . . . . . . . . . . . 190 Norman SandBox Analyzer and SandBox Analyzer Pro . . . . . . . . . . . . . . . . . . . . . . . . . 191 4.3.4 Other Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 iDefense Multipot v0.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Invisible Things System Virginity Verifier (SVV) . . . . . . . 194 4.3.5 Malicious Code Detection and Analysis Services. . . . . . . . . . . . . . . . . . . . 195 Section 5 u Informational Resources . . . . . . . . . . . . 197 SECTION 6 u eferences and R Bibliography . . . . . . . . . . 201 SECTION 7 u efinitions of Acronyms D and Key Terms . . . . . . . . 211 SECTION 8 u Definitions. . . . . . . . . . . . 215 Section 9 u dditional A Information. . . . . . . . . . . 217 9.1 Economic Rationale for Malware Attackers . . . . . . 217 9.2 Objectives of Botnet Attackers. . . . . . . . . . . . . . . . . . 217 9.3 Worms: How They Are Constructed, How They Operate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 9.4 Malicious Anti-malware Tools . . . . . . . . . . . . . . . . . . 219 IA Tools Report v Section 1 u Introduction Note: All documents and online content cited in this report or used in its development are listed in Appendix A, Bibliography. The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support Information Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center (DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific and technical information. Scientists, engineers, and information specialists staff each IAC. IACs establish and maintain comprehensive knowledge bases that include historical, technical, scientific, and other data and information, which are collected worldwide. Information collections span a wide range of unclassified, limited-distribution, and classified information appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain, and develop analytical tools and techniques, including databases, models, and simulations. IATAC’s mission is to provide DoD with a central point of access for information on emerging technologies in IA and cyber security. These include technologies, tools, and associated techniques for detection of, protection against, reaction to, and recovery from information warfare and cyber attacks that target information, information-based processes, information systems, and information technology. Specific areas of study include IA and cyber security threats and vulnerabilities, scientific and technological research and development, and technologies, standards, methods, and tools through which IA and cyber security objectives are being or may be accomplished. As an IAC, IATAC’s basic services include collecting, analyzing, and disseminating IA scientific and technical information; responding to user inquiries; database operations; current awareness activities (e.g., the IAnewsletter, IA Digest, IA/Information Operations Events Scheduler, and IA Research Update); and publishing State-of-the-Art Reports, Critical Review and Technology Assessments reports, and Tools Reports. The IA Tools Database is one of the knowledge bases maintained by IATAC. This knowledge base contains information on a wide range of intrusion detection, vulnerability analysis, firewall applications, and anti-malware tools. Information for the IA Tools Database is obtained via open-source methods, including direct interface with various agencies, organizations, and vendors. Periodically, IATAC publishes a Tools Report to summarize and elucidate a particular subset of the tools information in the IATAC IA Tools Database that addresses a specific IA or cyber security challenge. To ensure applicability to Warfighter and Research and Development Community (Program Executive Officer/Program Manager) needs, the topic areas for Tools Reports are solicited from the DoD IA community or based on IATAC’s careful ongoing observation and analysis of the IA and cyber security tools and technologies about which that community expresses a high level of interest. IA Tools Report 1 Section 1 Introduction Inquiries about IATAC capabilities, products, and services may be addressed to: Gene Tyler, Director 13200 Woodland Park Road, Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773 Email: iatac@dtic.mil URL: http://iac.dtic.mil/iatac SIPRNET: https://iatac.dtic.mil 1.1 Purpose This report provides a brief background on what malware is, the types of malware and how they operate, recent trends in malware capabilities, behaviors, and incidents, and what makes systems vulnerable to malware infection. The report also discusses the types of countermeasures used to fight malware, and the technological capabilities employed by those countermeasures. The report goes on to provide a summary of the characteristics and capabilities of publicly available anti-malware tools (commercial, open source, and free). Finally, the report identifies a number of suggested resources for learning more about malware and anti-malware technology and tools and for obtaining guidance on how to effectively mitigate malware risks throughout the information technology life cycle. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tools. The written descriptions are based solely on the suppliers’ claims and are intended only to highlight the capabilities and features of each tool. These descriptions do not reflect the opinion of IATAC. It is up to the readers of this document to assess which product, if any, might best meet their needs. Technical questions concerning this report may be addressed to iatac@dtic.mil. 2 IA Tools Report 1.2 Scope Currently, the IATAC database contains descriptions of numerous tools that can be used to reduce the risks posed by malware. Malware, or malicious code, is defined by the Committee for National Security Systems Instruction 4009 National Information Assurance (IA) Glossary as “software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an [Information System].” According to the NSA’s Guidance for Addressing Malicious Code Risk, “adverse impact” is not limited only to loss of confidentiality, integrity, availability: it includes loss of any required property of the targeted information system, including dependability, usability, performance, and privacy. Privacy is a particular concern when it comes to malware, as many forms of malware, especially spyware, are specifically intended to steal personal and personally identifying information from the computer systems they target. Anti-malware tools are programs that perform one or more of the following activities to minimize the risk posed by malware— XXDetection of malware, malware indicators, or anomalous behavior that may indicate the presence of malware; XXBlocking malware from entering or installing on a system; XXIsolation and constraint (also known as quarantine) to prevent malware’s execution from adversely impacting the system; XXEradication to remove the malware and its associated traces, ideally with full recovery from its effects. Different anti-malware tools may use different techniques and technologies to accomplish one or more of these risk-mitigating activities. To some extent, the approaches a tool uses will be governed by the type or types of malware the tool is intended to address. Viruses and worms have different Section 1 Introduction modi operandi and adverse impacts than spyware and rootkits, so the techniques and tools used to find, isolate, and eliminate them will differ. Many vendors and developers of such tools (heretofore referred to collectively as “suppliers”) advertise the uniqueness or advanced nature of their tools’ technical approaches as key selling points. This marketing strategy is driven by the widespread recognition that the most well-established technology for fighting malware—detection based on the malware signature [2]—is increasingly ineffective in finding many emerging types of malware that have been expressly engineered to evade signature-based detection. An increasingly popular alternative detection approach is heuristic detection of anomalies in a program’s or system’s behavior that are known to be indicators of the presence of malware. A number of current anti-malware tool developers combine signature-based and heuristic detection techniques in hopes of improving their tools’ “hit rate” by reducing the number of “false positives” (detections of malware that is not actually present) and “false negatives” (non-detections of malware that is, in fact, present). Most tools that detect malware also provide some capability to isolate (quarantine) and eradicate (remove from the system) any malware the tool has detected. Again, a variety of techniques and technologies have emerged for implementing these actions in anti-malware tools. Some tools focus on keeping malware out of the system in the first place, either by blocking it at the entry point to the network to which the system is attached, or by preventing it from installing on the system. Non-installation is the goal of many anti-rootkit tools because, once installed, rootkits can be very difficult to locate and, if found, to remove without damaging the system. All of the tools identified in this report are available on the Internet, either for direct download or for purchase. They range from elaborate commercial anti-malware tool suites to simple freeware tools produced by one or two developers. The sheer number of available tools required the authors to apply some criteria to decide which tools would be included, and which would not. The following criteria were used to exclude certain categories of tools from the descriptions in Section 4 of this report— XXTools that address only single malware instances. There are a number of tools, such as AntiLove for removing the “I Love You” virus and the F-Secure® Anti-Virus “Klez” Removal Tool, that target only a single virus. Such tools are usually produced to fill a gap between the appearance of the virus and the addition of signatures for that virus to broader anti-virus tools. Such single-virus tools have been excluded from this report because by the time it is published, most, if not all of the viruses targeted by these tools will be addressed by most of the antivirus and general anti-malware tools described here. XXAnti-malware capabilities integrated into larger security tool suites or other software applications. Numerous “enterprise security management” products, application firewalls, and even some virtual machine environments now incorporate anti-malware capabilities. The authors felt it would be inappropriate to describe all of these products, as their focus was not exclusively on malware. The authors have, however, identified instances in which a supplier has included the functionality of their anti-malware tool(s) in other of their security product offerings. XXTools that are not malware-specific, but are coincidentally useful as operational countermeasures or as malware analysis tools. These include such tools as general security tools, spam filters, firewalls, virtual machine environments, and forensic analysis tools, binary code analysis, and reverseengineering tools). Such tools are not included here because they are not malware-specific. XXTools reported to be or contain malicious code. Even if such tools actually provide the anti-malware functionality they claim, their primary purpose has to be understood to be malicious, and therefore the authors deemed them not worthy of description. However, a discussion of such suspicious tools has been provided in Appendix D to raise the reader’s awareness. IA Tools Report 3 Section 1 Introduction XXTools that address only delivery vectors for malware rather than malware itself. While vectors and exploits such as spam and cross-site scripting (XSS) are common delivery mechanisms for malware, they do not themselves constitute malware. For this reason, this report does not discuss tools for detecting or blocking spam, XSS, and other mechanisms or attacks used as malware delivery vectors. XXTools known (or strongly suspected) to be no longer supported by their suppliers or by any third party. The authors have drawn the line at Microsoft® Windows® 2000 as the oldest platform of interest for the tools covered in this report. Tools that run only on operating system (OS) versions older than Windows 2000 (i.e., Windows NT®, 98, and 95), UNIX versions prior to System V Release 3, or Macintosh® OS versions prior to OS X have not been discussed here. However, the report does cover tools that run on these earlier versions when they are supported in addition to later operating system versions. Regardless of platform, tools that have been reported by their suppliers to be no longer supported have also been excluded, even though they are still being made available without support. Ongoing support is particularly important for anti-malware tools that rely on signatures, as failure to issue signatures for new malware will rapidly render a tool obsolete. 4 IA Tools Report The authors have used their best efforts to document all available anti-malware tools, but the sheer quantity of such tools virtually guarantees that some will have been inadvertently overlooked. In addition, anti-malware tools are constantly being added to the inventory to counter new threats. The tools listed in this Report are current as of 31 May 2009. Please be assured that any exclusions not related to the criteria above were not intentional. If you are aware of any tool(s) that you feel should have been included, please contact the IATAC at iatac@dtic.mil with information or pointers to information about the excluded tool(s). Section 1 Introduction 1.3 Report Organization This report is organized into five sections and four appendices, listed and described in Table 1-1. Table 1-1 Report Organization and Content Section Title Contents 1 Introduction Provides introductory and background information on the IATAC and on the key concepts and remaining content of the report 2 Malware Overview Categorizes and describes what constitutes the various types of malware for which countermeasures, in the form of tools, are available. This section also identifies the vulnerabilities in systems that make them subject to malware infection, and discusses some of the recent trends observed the nature of malware incidents, and the motivations of their perpetrators. 3 Anti-malware Countermeasures Describes the variety of approaches used by anti-malware tools to detect, block, isolate and constrain, and eradicate malware. This section also discusses how anti-malware countermeasures can be included in IT security programs, and also how user, administrator, and developer awareness and knowledge of the malware threat can be increased. 4 Anti-malware Tools Describes the approaches used to categorize the anti-malware tools in the IATAC IA database and the criteria for their inclusion in the database, and provides the descriptions of available anti-malware tools 5 Information Resources Lists some key sources of information about malware, and some recommended guidance documents for addressing malware risk. This section also lists organizations and initiatives focused on addressing the problem of malware. 6 References and Bibliography Lists print and online resources cited in or used in the development of this report 7 Acronyms and Abbreviations List and amplifies all acronyms and non-common abbreviations used in this report 8 Definitions Lists and defines key terms as they are used in this report 9 Additional Information Provides additional information on the perpetrators of malware incidents, on how worms operate, and on the problem of anti-malware tools that are themselves malicious Disclaimer—The authors have made a best effort to indicate registered trademarks where they apply, based on searches in the U.S. Patent and Trademark Office Trademark Electronic Search System for “live” registered trademarks for all company, product, and technology names. There is a possibility, however, that due to the large quantity of such names in this Report, some trademarks may have been overlooked in our research. We apologize in advance for any trademarks that may have been inadvertently excluded, and invite the trademark registrants to contact the IATAC to inform us of their trademark status so we can appropriately indicate these trademarks in our next revision. Note that we have not indicated non-registered and non-U.S. registered trademarks due to the inability to research these effectively. IA Tools Report 5 Section 1 Introduction References 2 A malware “signature” is a uniquely identifying portion of code extracted from a malware program that has been captured by a malware researcher. Because it is unique to a particular malware program, a signature can be used to perform pattern matching comparisons against the content of files and executables that are suspected to be “infected” in order to locate other instances of the same malware program. Signatures are referred to by some anti-malware developers and vendors as “fingerprints.” 6 IA Tools Report Section 2 u Malware Overview Because the first malware to gain public attention was the computer virus, the term “virus” has come to be used interchangeably with “malware” (other terms, such as “badware” and “harmware” are also used), although a virus is a specific category of malware; other categories include worms, Trojan horses (also referred to as Trojans), bots (also botnets and zombies), logic bombs and time bombs, spyware, and rootkits, with further subdivisions possible within all of these categories. The main categories of malware, and the types of malware within each of those categories, are discussed below. 2.1 Categorization of Malware Table 2-1 lists all malware types known to be active from 2003 to present. How malware is categorized is Table 2-1 obscured slightly by the fact that “virus” is often used to refer to any type of delivered (vs. embedded) malware, including worms and Trojan horse programs. Malware Types Category Types within Category Subtypes within Types Virus Replicates by attaching its program instructions to an ordinary “host” program or document, so that the virus instructions are executed when the host program is executed File virus Uses the file system of a given OS (or more than one) to propagate. File viruses include viruses that infect executable files, companion viruses that create duplicates of files, viruses that copy themselves into various directories, and link viruses that exploit file system features. Script virus A subset of file viruses, written in one of a variety of script languages (Visual Basic® Script, JavaScript®, Windows Batch, PHP, etc.). Either infects other scripts, e.g., Windows or Linux® command and service files, or forms a part of a multi-component virus. Script viruses are able to infect other file formats, such as HyperText Markup Language (HTML), if that file format allows the execution of scripts. Boot sector virus Infects the boot sector or the master boot record, or displaces the active boot sector, of a hard drive. Once the hard drive is booted up, boot sector viruses load themselves into the computer’s memory. Many boot sector viruses, once executed, prevent the OS from booting. Boot sector viruses were widespread in the 1990s, but have almost disappeared since the introduction of 32-bit processors and the near-disappearance of floppy disks as a storage medium for executables. IA Tools Report 7 Section 2 Malware Overview Category Types within Category Virus Replicates by attaching its program instructions to an ordinary “host” program or document, so that the virus instructions are executed when the host program is executed Macro virus Written in the macro scripting languages of word processing, accounting, editing, or project applications, it propagates by exploiting the macro language’s properties in order to transfer itself from the infected file containing the macro script to another file. The most widespread macro viruses are for Microsoft® Office® applications (Word®, Excel®, PowerPoint®, Access®). Because they are written in the code of application software, macro viruses are platform independent and can spread between Mac, Windows, Linux, and any other system running the targeted application. Electronic mail (email) virus Refers to the delivery mechanism rather than the infection target or behavior. Email can be used to transmit any of the above types of virus by copying and emailing itself to every address in the victim’s email address book, usually within an email attachment. Each time a recipient opens the infected attachment, the virus harvests that victim’s email address book and repeats its propagation process. Multi-variant virus The same core virus but implemented with slight variations, so that an anti-virus scanner that can detect one variant will not be able to detect the other variants. Radio Frequency Identification (RFID) virus A type of theoretical [3] virus that is expected to target RFID devices. So far, such viruses have only been demonstrated by researchers (as described at http://www.rfidvirus.org/). 8 IA Tools Report Subtypes within Types Section 2 Malware Overview Category Types within Category Subtypes within Types Network worm Self-propagating program that spreads over a network, usually the Internet. Unlike viruses, may not depend on other programs or victim actions (such as opening an infected email attachment or clicking on the Web link for a malware Web site) for replication, dissemination, or execution. Worms spread by locating other vulnerable potential hosts on the network (e.g., via scanning or topological analysis—see discussion of worm propagation strategies below), then copying their program instructions to those hosts. Worms have traditionally been categorized according to their dissemination medium. More recently, however, they have begun to be categorized according to their propagation speed. Appendix D:D.2 explains how worms are constructed and how they propagate. Email worm Spread via infected email attachments. Mass-mailing worm Embedded in an email attachment, which must be opened by the intended victim to enable the worm to install itself on the victim’s host, from which it can copy and disseminate itself to other hosts. Instant messaging® (IM) worm Spread via infected attachments to IM messages or reader access to Uniform Resource Locators (URL) in IM messages that point to malicious Web sites from which the worm is downloaded. Internet Relay Chat (IRC) worm Comparable to IM worms, but exploit IRC rather than IM channels. Web or Internet worm Spread via user access to a Web page, File Transfer Protocol (FTP) site, or other Internet resource. File-sharing or peer-to-peer (P2P) worm Copies itself into a shared folder, then uses P2P mechanisms to announce its existence in hopes that other P2P users will download and execute it. Warhol worm Theoretical* worm conceived by a researcher at University of California at Berkeley: a worm that can spread across the Internet to infect all vulnerable servers within 15 minutes of activation. (“Warhol” refers to Andy Warhol’s claim that every person has 15 minutes of fame.) Flash worm Theoretical worm that spreads within seconds of activation to all of the vulnerable hosts on the Internet. The discussion of worm propagation techniques in Appendix D explains the types of scanning that could make a flash worm possible. IA Tools Report 9 Section 2 Malware Overview Category Types within Category Network worm Self-propagating program that spreads over a network, usually the Internet. Unlike viruses, may not depend on other programs or victim actions (such as opening an infected email attachment or clicking on the Web link for a malware Web site) for replication, dissemination, or execution. Worms spread by locating other vulnerable potential hosts on the network (e.g., via scanning or topological analysis—see discussion of worm propagation strategies below), then copying their program instructions to those hosts. Worms have traditionally been categorized according to their dissemination medium. More recently, however, they have begun to be categorized according to their propagation speed. Appendix D:D.2 explains how worms are constructed and how they propagate. Swarm worm An intelligent theoretical worm able to cooperate with large numbers of other worms to exhibit emergent swarm behavior “wherein simple interactions of autonomous agents, with simple primitives, give rise to a complex behavior that has not been specified explicitly.” At least one proof-of-concept swarm worm, “ZachiK,” has been modeled and prototyped by researchers in the Worcester Polytechnic Institute Systems Security Research Laboratory in 2005-2006. Trojan Horse (or, simply, Trojan) A destructive program that masquerades as a benign program. Stealthware—such as spyware, rootkits, keyloggers, trapdoors, and certain adware—represents a subset of Trojans that is intentionally designed to be hard-todetect or undetectable Trojan horse software installs itself on the victim’s computer when the victim opens an email attachment or computer file containing the Trojan, or clicks on a Web link that directs the victim’s browser to a Web site from which the Trojan is automatically downloaded. Once installed, the software can be controlled remotely by hackers for criminal or other malicious purposes, such as extracting money, passwords, or other sensitive information, or to create a zombie from which to disseminate spam, phishing emails, the same Trojan, or other malware to other computers on the network/Internet. Recently, Trojans have begun using process injection to a greater extent. Several factors make this technique dangerous—(1) the Trojan is not visible in traditional process viewers, including Windows Task Manager; (2) most Trojan and virus scanners have a very hard time detecting the running Trojan code; (3) the Trojan code is very difficult to unload. Backdoor Trojan (also known as Trapdoor Trojan or Remote-Access Trojan) Acts as a remote administration utility that enables control of the infected machine by a remote host. Examples: Back Orifice, SubSeven 10 IA Tools Report Subtypes within Types Denial of service (DoS) Trojan If the Trojan infection spreads widely enough, the remote attacker gains the ability to create a distributed denial of service (DDoS) attack. FTP Trojan Opens port 21, enabling the remote attacker to connect to the victim’s machine via FTP. Section 2 Malware Overview Category Types within Category Subtypes within Types Trojan Horse (or, simply, Trojan) A destructive program that masquerades as a benign program. Stealthware—such as spyware, rootkits, keyloggers, trapdoors, and certain adware—represents a subset of Trojans that is intentionally designed to be hard-todetect or undetectable Trojan horse software installs itself on the victim’s computer when the victim opens an email attachment or computer file containing the Trojan, or clicks on a Web link that directs the victim’s browser to a Web site from which the Trojan is automatically downloaded. Once installed, the software can be controlled remotely by hackers for criminal or other malicious purposes, such as extracting money, passwords, or other sensitive information, or to create a zombie from which to disseminate spam, phishing emails, the same Trojan, or other malware to other computers on the network/Internet. Recently, Trojans have begun using process injection to a greater extent. Several factors make this technique dangerous—(1) the Trojan is not visible in traditional process viewers, including Windows Task Manager; (2) most Trojan and virus scanners have a very hard time detecting the running Trojan code; (3) the Trojan code is very difficult to unload. Data-collecting Trojan Surreptitiously collects and sends back information from the victim’s machine. The surreptitious nature of such software has led to it being referred to as “stealthware.” Spyware Trojan (also known as a spybot or system monitor Trojan) Trojan installed surreptitiously on a personal computer (PC) or laptop/notebook to collect information about its user, the user’s computer, and/or his/her browsing habits without the user’s informed consent. The functions of spyware extend beyond passive monitoring to active collection of various types of personal information (e.g., Web surfing habits, sites visited); interference with user control of the computer through installation of additional software and/or redirection of browser activity; reconfiguration of computer settings, resulting in slow connection speeds, changing of home pages, and/or loss of Internet connectivity or functionality of other programs. Not all spyware programs are Trojans. According to Computer Associates’ 2008 “Internet Security Outlook,” Trojans accounted for 18 percent of all spyware in 2007—up from 11 percent in 2006. Keylogger Installs itself either into a Web browser or as a device driver, from where it monitors the data input by the user via the keyboard, and forwards that data to a control center, such as a phishing site. Screenlogger Captures snapshots of the victim’s computer screen, which it forwards to a control center. Password SpyWare Trojan Sniffs and steals passwords from the infected machine. IA Tools Report 11 Section 2 Malware Overview Category Trojan Horse (or, simply, Trojan) A destructive program that masquerades as a benign program. Stealthware—such as spyware, rootkits, keyloggers, trapdoors, and certain adware—represents a subset of Trojans that is intentionally designed to be hard-todetect or undetectable Trojan horse software installs itself on the victim’s computer when the victim opens an email attachment or computer file containing the Trojan, or clicks on a Web link that directs the victim’s browser to a Web site from which the Trojan is automatically downloaded. Once installed, the software can be controlled remotely by hackers for criminal or other malicious purposes, such as extracting money, passwords, or other sensitive information, or to create a zombie from which to disseminate spam, phishing emails, the same Trojan, or other malware to other computers on the network/Internet. Recently, Trojans have begun using process injection to a greater extent. Several factors make this technique dangerous—(1) the Trojan is not visible in traditional process viewers, including Windows Task Manager; (2) most Trojan and virus scanners have a very hard time detecting the running Trojan code; (3) the Trojan code is very difficult to unload. Types within Category Notifier Confirms that a machine has been successfully infected, and sends information about the Internet protocol (IP) address, open port numbers, email address, etc., of the victim’s machine. Downloader, or Dropper Downloads, installs, and in the case of the Downloader, launches additional malware on the victim’s machine. IA Tools Report Security software disabler Terminates/kills the execution of security programs, such as anti-virus software, firewalls, and intrusion detection agents in order to render the victim’s machine vulnerable to further attacks. Rogue security software Represents itself as as anti-malware or anti-spyware software but, in fact, either does nothing, leaving the system vulnerable (and the user with a false sense of security) or installs malware. Appendix D: D.3 discusses some of the ways in which such tools reveal themselves to be malicious. ArcBomb An archived file that sabotages the archive decompressor used to open archive files. When the infected archived file is opened, the bomb is executed, causing the victim’s hard disk to be flooded with nonsensical data, its resources to be “hogged,” or simply causing it to crash. Proxy Trojan Turns the victim’s computer into a proxy server (i.e., a zombie) that operates on behalf of the remote attacker. If the attacker’s activities are detected and tracked, the trail leads back to the victim rather than to the attacker. 12 Subtypes within Types Section 2 Malware Overview Category Types within Category Trojan Horse (or, simply, Trojan) A destructive program that masquerades as a benign program. Stealthware—such as spyware, rootkits, keyloggers, trapdoors, and certain adware—represents a subset of Trojans that is intentionally designed to be hard-todetect or undetectable Trojan horse software installs itself on the victim’s computer when the victim opens an email attachment or computer file containing the Trojan, or clicks on a Web link that directs the victim’s browser to a Web site from which the Trojan is automatically downloaded. Once installed, the software can be controlled remotely by hackers for criminal or other malicious purposes, such as extracting money, passwords, or other sensitive information, or to create a zombie from which to disseminate spam, phishing emails, the same Trojan, or other malware to other computers on the network/Internet. Recently, Trojans have begun using process injection to a greater extent. Several factors make this technique dangerous—(1) the Trojan is not visible in traditional process viewers, including Windows Task Manager; (2) most Trojan and virus scanners have a very hard time detecting the running Trojan code; (3) the Trojan code is very difficult to unload. Rootkit A collection of programs used by a hacker to evade detection while trying to gain unauthorized access to the victim’s computer. Rootkits are designed to hide processes, files, or Windows Registry entries. Rootkits are used by hackers to hide their tracks or to insert threats surreptitiously on compromised computers. Various types of malware use rootkits to hide themselves on a computer. A rootkit is installed by replacing system files or libraries, or by installing a specially crafted kernel module. Kernel-mode rootkits are much more common than user-mode rootkits, because they more powerful and easier to hide. To install a rootkit, the attacker must first obtain user-level access to the victim’s computer by cracking a password or by exploiting a vulnerability; once this access is gained, the attacker gathers other user identifiers (ID) on the system until he/she is able to obtain root or administrator privileges. Once hackers get “root access” to a computer, they can manipulate it to do anything they want. Used in combination with Trojan software, hackers use rootkits to change system settings and make use of the victim computer without the user—and usually without monitoring software such as firewalls or anti-virus programs—being able to detect it. In its 2006 annual malware report, Microsoft estimated that rootkits were present in 14 percent of computers—or 9 percent when copies of the Sony Bertelsmann Music Group rootkit are subtracted. In 20 percent of cases, rootkits were installed with Trojans. Subtypes within Types IA Tools Report 13 Section 2 Malware Overview Category Types within Category Subtypes within Types Trojan Horse (or, simply, Trojan) A destructive program that masquerades as a benign program. Stealthware—such as spyware, rootkits, keyloggers, trapdoors, and certain adware—represents a subset of Trojans that is intentionally designed to be hard-todetect or undetectable Trojan horse software installs itself on the victim’s computer when the victim opens an email attachment or computer file containing the Trojan, or clicks on a Web link that directs the victim’s browser to a Web site from which the Trojan is automatically downloaded. Once installed, the software can be controlled remotely by hackers for criminal or other malicious purposes, such as extracting money, passwords, or other sensitive information, or to create a zombie from which to disseminate spam, phishing emails, the same Trojan, or other malware to other computers on the network/Internet. Recently, Trojans have begun using process injection to a greater extent. Several factors make this technique dangerous—(1) the Trojan is not visible in traditional process viewers, including Windows Task Manager; (2) most Trojan and virus scanners have a very hard time detecting the running Trojan code; (3) the Trojan code is very difficult to unload. Bot Any type of malware (e.g., Trojan, worm, spyware bots or spybots) that enables the attacker to surreptitiously gain complete control of the infected machine. Virtually always surreptitious. A computer that has been infected by a bot is referred to as a zombie or, sometimes, a drone. Bots may be further subcategorized according to their delivery mechanism. For example, a Spam bot is similar to an email virus or mass-mailing worm in that it relies on the intended victim’s action to activate it, either by opening an attachment affixed to a spam email, or by clicking on a Web link within a spam email which points to a Web site from which the bot is downloaded to the victim’s computer. If the bot clones or otherwise replicates itself and exports those clones to other machines, all of the bot instances can communicate and interact with each other, thereby creating a cooperative network of bots, referred to as a botnet. A computer that has been taken over by a bot to become part of a botnet is referred to as a zombie. Botnet A networked group of zombies controlled by hackers known as Bot herders, usually through Trojan software that users have downloaded (either unknowingly, or believing it to be something other than malware). Using various Internet-based communications methods (e.g., Internet Relay Chat, Instant Messaging) the hacker can “wake up” tens of thousands of zombies and direct them to perform actions on the hacker’s behalf, such as delivering spam, phishing, or serving crimeware. It is believed by several malware experts that Conficker’s actual purpose was to install bots on infected systems in order to establish a worldwide botnet. Spyware (non-Trojan) Non-Trojan stealthware that has the same objectives and performs the same types of actions as spyware Trojans. A number of bots have spyware capabilities, and are referred to as spybots. Adware Software that automatically displays advertising material to the user, resulting in an unpleasant user experience. If malicious, adware usually exhibits the behaviors and/or infection techniques used by viruses, worms, and/or spyware. Tracking cookie A cookie is a data structure that stores information about a user’s browser session state. While cookies are a necessary component of how many Web sites operate, tracking cookies are specifically designed to track a user’s behavior across multiple sites. Spyware sites routinely use tracking cookies to monitor a user’s browsing behavior and associate it with the user’s personal data such as name, credit card number, and other private information, which can then be harvested and sold to illicit marketers or cybercriminals. Blended attacks Combines the properties of more than one type of malware—most often viruses, worms, and/or Trojans but also, more recently, bots and adware. For example, the recent trend (2006 onwards) of using worms as a delivery mechanism for other types of malware. 14 IA Tools Report Section 2 Malware Overview Category Types within Category Subtypes within Types Embedded Malicious Code Any type of malicious logic embedded in a valid executable program by its developer, integrator, distributor, or installer. Most frequently a logic bomb, time bomb, or Trojan. Crimeware Any malware used in aid of criminal activities. This said, there are specific types of malware used predominantly or exclusively as crimeware. Email redirector Used to intercept and relay outgoing emails to the attacker’s system. IM redirector Used to intercept and relay outgoing instant messages to the attacker’s system. Clicker Redirects the victim to a Web site or Internet resource by sending the necessary commands to the victim’s browser or replacing the system file(s) in which standard Internet URLs are stored (e.g., the Microsoft® Windows® hosts file). Transaction generator Targets not the end-user computer but the computer of a corporate or financial institution’s computer center. The software generates fraudulent transactions on behalf of the attacker within the victim organization’s payment processing or other financial systems. In some instances, transaction generators are used to intercept credit card data for abuse by the attacker. Session hijacker Usually a malicious browser component that, after the victim logs in or begins a browser session, takes over that session to enable a hacker to exploit it, usually to perform criminal actions, such as transferring money from the victim’s bank account. DoS and distributed denial of service DDoS tools Software tools expressly intended to automate denial of service attacks locally (DoS) or over the network (DDoS). Flooder Floods data channels with useless packets and/or messages. Malware Constructors Software tools for developing/generating new malware. VirTool Utility specifically geared towards simplifying virus-writing. May also provide analysis capabilities to reveal how the virus under construction might best be used in hacking attacks. Nuker Utility that causes fatal errors in the victim machine’s application or OS by sending it specially coded or phrased requests that exploit known vulnerabilities in the application or OS. IA Tools Report 15 Section 2 Malware Overview Category Types within Category Subtypes within Types Malware Constructors Software tools for developing/generating new malware. Cryptographic obfuscators (e.g., FileCryptor, PolyCryptor, PolyEngine) Cryptographic tools used to encrypt malicious programs so that they cannot be detected by anti-malware software. Some of these tools use polymorphic algorithms to generate differently encrypted versions of the same virus, so that even if one is detected, the others will not be. Other hacker tools and programmed exploits Software tools used by attackers to penetrate remote computers, usually via backdoors, and use them as zombies, or to download other malicious programs to the victim machines. Dialers are another form of malware that uses modem connections to either dial back to the attacker, or causes the victim to use primary-rate billing numbers when making connections. 2.2 Vulnerabilities Commonly Exploited by Malware Based on an analysis of malware-related vulnerabilities in the National Vulnerability Database, [4] the following types of vulnerabilities are typically exploited by malware to disseminate, propagate, and install themselves. Most worms exploit vulnerabilities in the victim computer’s software or network to effect their own propagation. When a software vendor issues a patch, or a “researcher” announces a vulnerability, the worm author can use the information in the announcement to understand and craft a worm to exploit the vulnerability. XXVulnerabilities in anti-virus software (exploited to disable the software or evade its detection). 2.3 Trends in Malware Incidents From 2005 to 2006 the total number of new malicious programs increased 41 percent, according to Kaspersky Lab’s “Security Bulletin 2006: Malware Evolution,” and a staggering 172 percent, according to L. Corrons in “PandaLabs’ Annual Report 2007.” Corrons also predicted a 60 percent increase in unique novel malware starting in 2007. Malware appears in any given environment in which the following criteria are satisfied— XXBuffer overflows (the real vulnerability is a design flaw, i.e., the lack or failure of input validation to prevent the submission of overlong data strings); XXWeak access control (due to poorly designed or configured access controls); XXPoor or incorrect handling of malformed data (due to lack or failure of input validation to filter out malformed data); XXDecoding errors (e.g., browser or Web server Uniform Resource Locator [URL] decoding errors); XXSabotaged configurations (e.g., through tampering with the configuration script); 16 IA Tools Report XXThe targeted platform runs an OS that is widely used. XXReasonably high-quality documentation is available to the malware writer. XXThe targeted system is not securely configured, or has a number of documented vulnerabilities. Potentially vulnerable OSs and applications include— XXAll popular desktop OSs (e.g., Windows, Macintosh OS X, Linux); Section 2 Malware Overview XXMost general purpose Web, office, graphics, and project management applications; XXMost graphical editors; XXApplications with built-in scripting languages. It is common for hundreds or even thousands of types of malware to exploit the same handful of vulnerabilities. This happens because the vulnerabilities are not addressed by virus definitions produced by anti-virus software vendors, and patches are not always issued in timely manner (if at all) by the supplier of the target machine’s OS or application; if they are issued, they may not be installed in a timely manner, if at all, by the target machine’s administrator or operator. The following are the most prevalent vectors for malware propagation— XXE–mail (includes spam and other phishing emails), XXWeb sites, XXInstant messages, XXRemovable media (e.g., “thumb” drives, compact discs [CD]), XXIRC, [5] XXBluetooth® (emerging), XXWireless local area network (theoretical). See Appendix D for more extensive descriptions of worm behaviors and propagation vectors. Virus-writers are using increasingly complex techniques to prevent their virus code from being detected by signature-matching anti-virus scanners. The techniques they use include— XXCode integration—Virus code is mixed into valid program code using a tool such as the Mistfall Virus Engine. 2.4 Malware Perpetrators and Their Motivations The following diagram characterizes who the most prevalent perpetrators of malware are, and their motivations— The Innovators Who? Focused individuals who devote their time to finding security holes in systems or exploring new environments to see if they are suitable for malicious code Why? Challenge How? Embrace the challenge of overcoming existing protection measures The Amateur Fame Seekers Who? Novices of the game with limited computing and programming skills Why? Desire for media attention How? Use ready-made tools and tricks The Copy - Catters Who? Would be hackers and malware authors Why? Desire for celebrity status in the cybercrime community How? Interested in recreating simple attacks The Insider Who? Disgruntled or ex-employees, contractors and consultants Why? Revenge or theft How? Take advantage of inadequate security aided by privileges given to their position within the workplace Organized Crime XXPolymorphic encryption—The virus is encrypted to escape detection. XXMetamorphic obfuscation—The virus code is “morphed” by adding non-virus-related logic to obscure the presence of virus logic. As the code changes, so does the virus signature generated from that code, thereby rendering the virus undetectable by matching the signature of the pre-morphed virus. Who? Highly motivated highly organized, real-world cyber-crooks; Limited in number but limitless in power Why? Profit How? A tight core of masterminds concentrated on profiteering by whichever means possible— surrounding themselves with the human and computer resources to make that happen Source: Organization for Economic Cooperation and Development (OECD) IA Tools Report 17 Section 2 Malware Overview One other group of malware authors not included in this diagram are malware researchers who model, simulate, and prototype various types of malware as proofs-of-concept to better understand how the malware operates, propagates, and the recognizable patterns that may be used in its detection. According to Kaspersky Lab, in 2007 the motivation behind all major malware epidemics and widespread malicious programs was financial. This is a change from 2006, in which non-commercial “vandalware” still appeared (e.g., Nyxem.E, a 2006 worm that did nothing but spread itself and delete files). References 3 Theoretical malware is malware that has been observed in laboratory environments, but has not yet been detected “in the wild.” 4 NIST National Vulnerability Database. Accessed 26 June 2008 at: http://web.nvd.nist.gov 5 This is the vector of choice for establishing botnet control. 18 IA Tools Report Section 3 3.1 u Anti-Malware Countermeasures Technology-Based Countermeasures Countermeasures to malware fall into three general categories— XXDetection—The ability to recognize and locate malware on a system, in a file on that system, and/or in software, hardware, or media not yet installed on the system; XXPrevention—Keeping malware from entering, installing, and/or executing on a system. Also, keeping malware from propagating itself to other areas of a system or to other systems. Also, deterring malicious actors from embedding or implanting malware in software before it is installed on the system. XXEradication—Removing malware and all of its associated traces (files, processes, system changes), and restoring the system to its pre-infected state. Each of these categories of countermeasures is discussed below. 3.1.1 Detection The ability to detect the presence of malware is the first step toward its isolation and eradication. Traditionally, virus detection has been performed by matching “signatures” generated from virus code captured by researchers in a laboratory environment (e.g., an anti-virus tool vendor’s lab) against virus code captured in the wild. However, signature-matching has inherent inaccuracies, and is not effective for detecting more sophisticated, complex malware such as rootkits and logic bombs. More advanced behavior-based detection techniques are emerging to address the need to find such malware in both systems under development and systems in operation. 3.1.1.1 Signature-Matching The majority of virus scanners rely on signaturematching, wherein a sequence of instructions unique to a virus is used to generate a “virus signature.” The virus’s signature is captured in a file that is provided to the virus scanning tool. The tool compares this signature against the contents of all binary files it scans; if the signature is present, the virus from which it was generated is determined to be present. Aside from being time-consuming, the results of such scans can be inaccurate, as a pattern match of a virus signature does not always indicate the presence of an actual virus; it may simply be a coincidence (i.e., the seeming virus pattern may, in fact, be part of a larger benign string of binary code). Moreover, if the virus-writer has obfuscated the virus, the virus will be undetectable by signature-matching. What the virus scanner writer must then do is discover what obfuscating technique and transformations were used by the virus-writer, and determine whether those transformations can be reversed to enable scanning for the original virus signature. Signature-matching scanners can run either on a network entry point (e.g., firewall or intrusion prevention system) to scan email and other traffic before it enters the internal network, or on user clients (PCs, laptops, notebooks, etc.). Operationally, they are most effective when deployed on both. Because of competition, different vendors may be the first to issue different signature files; for this reason, it makes sense for server/network based virus scanning to be performed by a different vendor’s scanner(s) than that used for client-based scanning. Because signature-based scanning relies on “signatures” of pieces of actual malicious code, which must be generated by human experts, there is an unavoidable time lag between the first observation of a virus “in the wild” and the generation of that virus’ signature. This time lag means that signature-based scanning is not effective against zero-day attacks. Current research to improve signature-based scanning focuses on automating the signature generation process to significantly reduce this time lag (e.g., Autograph, developed by H. Ah-Kim at Carnegie Melon University). IA Tools Report 19 Section 3 Anti-Malware Countermeasures Not all tool suppliers implement signatures for all of the same malware instances. For this reason, certain tools may detect malware instances that other tools do not. Operationally, this has led some organizations and individual users to install multiple anti-virus scanners from different suppliers on their systems, in hopes of increasing the number of different malware instances that get detected. For others, the management challenge of ensuring that all installed anti-malware tools are kept up to date outweighs the small advantage gained by deploying multiple scanners in this way. Recently, some anti-malware tools vendors have begun offering free online scanning services; such services enable users to gain access to the scanning tools of those suppliers without having to purchase and install them. Such services are limited in that they only detect malware, and cannot eradicate any that they find. The suppliers generally offer the services as “hooks” to encourage the customers to purchase their tools. But the services can also be used as an ongoing quality assurance measure— by checking periodically to see whether the online tools of another supplier detect more or different malware instances than the tools installed on one’s own system, the user can decide whether it makes sense to augment or replace the tool currently in place. 3.1.1.1.1 Data Mining to Improve Signature Generation and Accuracy Using data mining techniques/algorithms, malware executables or bytecode and/or malicious code episode data sets (e.g., fixed-length or variable-length n-grams) are collected as “training samples” to be analyzed using a technique, such as feature extraction (described below), to determine detectable features common to malware. The objective is to use machine learning to develop a Classifier and model that can automate and refine analysis of the content of the collected malware samples/data sets. The size and number of samples to be analyzed is determined through techniques such as n-gram analysis developed by Maloof, M.A. et al. An n-gram at the binary level is a sequence of n consecutive bytes of binary executable; at the assembler level, it is a sequence of n consecutive assembly instructions. This approach is still only in the research and development phase. 20 IA Tools Report 3.1.1.1.2 Operational Threat Discovery to Augment Signature-Based Detection Operational threat discovery is not so much a technical approach as a strategic methodology for combining multiple general security and malwarespecific detection and analysis techniques to compensate for the deficiencies in signature-based detection. Intended for use by red teams and other expert security analysts, operational threat discovery augments traditional signature-based detection. Techniques combined may include— XXNetwork traffic analysis, using devices positioned strategically on the network to collect and analyze traffic flows for malware indicators such as beaconing, data exfiltration, communication, and command and control; XXDevice analysis, to discover unique attributes of data collected from servers and clients that may indicate malware, spyware, or other suspicious activity; XXLog analysis, to detect suspicious activities associated with malware delivery or execution, such as large file transfers and beaconing activities; XXDigital forensic analysis, to locate malicious code indicators (file names, dates, account names, etc.) on hard drive images. 3.1.1.1.3 Emerging improvements to behavior-based detection In hopes of improving early detection of viruses that propagate at hyper-fast speeds (not possible with current signature-based techniques), researchers at Sichuan University in China are applying finite state machine theory to the detection of a virus’s selfrelocation “gene,” both in known virus executables and in unknown but suspicious executables. 3.1.1.2 Behavior-Based Detection Behavior-based detection techniques focus on analyzing the behavior of known and suspected malicious code. Such behaviors include factors such as the source and destination addresses of the malware, the attachment types in which they are embedded, and statistical anomalies in malware Section 3 Anti-Malware Countermeasures infected systems. One example of a behavior-based detection approach is the histogram-based malicious code detection technology patented by Symantec. 3.1.1.2.1 Feature Extraction in Support of Behavior-Based Malware Detection Feature extraction, also known as function extraction, requires reverse engineering of the malware binary and the subsequent review of the resulting assembler or source code. The review focuses on extracting information about important malware features/ functions, and analyzing machine code features and system application programming interface (API) call features (Dynamic Linked Library [DLL] function call information), in order to develop a robust characterization of how the malware operates so that such features can be recognized as hallmarks of future malware. Extensive research into feature extraction for malware is underway at University of Texas at Dallas. The software security analysis firm VeraCode also claims to perform feature extraction for malware as part of their commercial Security Review service. For the past several years, researchers at Carnegie Mellon University’s Software Engineering Institute have been working to implement Function Extraction (FX) technology for automating the derivation and calculation of the functional behavior of software. The objective of this behavior calculation is to reveal the net functional effect of software. Primarily intended to augment human analysis and design activities during the software life cycle, FX is also being investigated for its usefulness in detection and analysis of malicious code embedded within software by revealing its functional intentions and effects (as captured in behavior databases produced by function extractors), and then developing countermeasures to those malicious functional intentions. 3.1.1.2.2 Malicious Property Detection Researchers in the University of Wisconsin’s Wisconsin Safety Analyzer project have developed an approach for analyzing the semantic structures (e.g., control flows and data flows) of software programs for presence of malicious properties such as “the program writes to an executable file,” “the program monitors and changes executables as they are loaded into memory,” and “the program behaves exactly like known virus n.” Based on this analysis, the analyst can develop a “blueprint” of malicious virus behavior from a model of the program to be analyzed. Model checking is then used to determine whether the virus blueprint and the program model “match.” Because it is based on behavioral analysis rather than pattern (signature or string) matching, this approach can be used to detect obfuscated/ morphed viruses, and can be extended to model and analyze other types of malware (e.g., Trojan horses, backdoors, spyware, worms, etc.). 3.1.1.3 Anomaly-Based Detection Anomaly-based detection looks for indicators of unexpected and abnormal behavior indicative of the presence of malicious code. Specifically, anomalybased detection establishes a baseline of expected operation within a computer system. Once a baseline has been established, any variations from the baseline are attributed to malicious code, allowing malicious code detection and removal tools to isolate the offending code and prevent it from performing its intended functions. Similar techniques are being used to detect other types of security intrusions and compromises, not just those associated with malware. 3.1.1.3.1 Heuristic scanning for code abnormalities indicating malware Heuristic scanning looks for abnormal structures at certain locations in the code of the program suspected of harboring malicious logic; an example of an abnormal structure would be a jump at the beginning of a program. If the scanner finds an abnormal structure, it infers that the abnormality is caused by the presence of malicious logic. Unfortunately, the inferences and assumptions made by heuristic scanners are often incorrect, which renders them inaccurate tools that are only useful when run in conjunction with other behavior-based and anomaly-based tools. IA Tools Report 21 Section 3 Anti-Malware Countermeasures 3.1.1.4 Detection of Indirect Malware Indicators Several approaches infer from indications of modifications to valid system contents or software code that the code must have been altered through the pre-installation embedding or post-installation insertion of malicious logic or the corruption of the operational software by interaction with running malware. Indirect malware indicators include— XXUnauthorized software changes—System integrity assurance techniques, such as peer reviews, software audits, and automated scans, focus on determining, at various stages in the system’s life cycle whether unexpected or unintended changes have been made to the system’s software. For example, a series of “manufacturing scans” during the acquisition, integration, and testing phases of system development involve running of virus detection, spyware detection, and other malware detection tools to determine whether malware has been introduced into the system by any of its commercial or open source components. XXChecksum mismatches—Calculation and comparison of checksums on pre-delivery and post-delivery binary executables may reveal tampering or corruption of the post-delivery binary. If the checksum was digitally signed, verification and validation of the signatures on the pre- and post-delivery versions’ checksums before the checksums themselves are recalculated and compared can provide further indication that the checksum itself was tampered with/corrupted, and thus the code is likely to have been as well. XXSystem profile anomalies—System profiling can augment checksum calculation by verifying that the system’s directory structures have not been corrupted or tampered with. Such profiling includes analysis and verification of valid file attributes, presence of unexpected files or absence of expected files, and review of other characteristics of the entire collection of files for indications of anomalies. System profiling usually relies on digitally signed databases, and includes file system checking that bypasses normal OS facilities that can detect checksum-aware malicious logic. 22 IA Tools Report XXSteganographic obfuscation and/or encryption of inbound files—More commonly used for detecting unauthorized exfiltration (“leakage”) of data in outbound traffic, steganography detection can also be applied to inbound data/traffic, including streaming media, with presence of steganography interpreted as a potential indicator of the embedding of malicious code in the steganographically-obfuscated inbound data file or stream. Similarly, unexpected encryption of inbound data (i.e., data not expected to be encrypted, or encrypted using an unfamiliar or unauthorized algorithm or protocol) may also indicate encryption used to avoid detection of malware. Detection (either at the network boundary or at the endpoint) of either steganography or encryption on inbound files, messages, etc., can be used to justify blocking the data at the network boundary, or to trigger an alert when the file is forwarded on to the intended recipient that the file is suspicious and should either be checked directly for presence of malware before opening/accepting (higher risk) or simply deleted (lower risk). 3.1.2 Prevention Approaches throughout the system life cycle are needed to prevent malware from (1) being embedded or implanted in systems under development, (2) being delivered to and installed on an operational systems, and (3) being executed on operational systems and then propagating to other systems on the same network. These approaches include— XXSoftware assurance during development, including “defensive” design and coding techniques, use of “safe” software tools and programming languages, and other software life cycle practices, such as secure configuration control, static analysis and other security testing techniques, and trusted distribution, to— • Minimize the presence of vulnerabilities in software that can be exploited by malware; Section 3 Anti-Malware Countermeasures • Increase the likelihood of detection and removal of malicious logic “planted” by the system’s developers, testers, or distributors before the software is fielded. XXUse of “demilitarized zones” and other approaches to create “closed” environments with access to the Internet or email, in which servers are hosted that run software (e.g., servers, Web services, other “software as a service”) or from which internal users can download software applications, patches, virus signature updates, etc. XXSurvivability engineering uses techniques, such as system diversity and software evolution to minimize the susceptibility of the organization’s entire computing infrastructure to the same malware. Survivability engineering also uses redundancy techniques to enable more rapid recovery from malware incidents by allowing for swapping in of clean backup systems, together with network topologies that allow for continued operation of unaffected portions of the infrastructure while infection portions are isolated/disconnected and sanitized/restored. 3.1.2.1 Quarantine The objective of quarantine is to prevent detected malicious code execution from affecting the system without risking damage that might arise from simply deleting the infected file to which the malicious code has attached or inserted itself; for example, simply deleting the system’s explorer.exe file because it is suspected of being infected would corrupt/destroy the system’s ability to operate. The anti-malware tool that detects the infected file moves it to an isolated location that is controlled by the tool itself, where that file’s execution (if/when it executes) will not affect other files on the system. This enables the system’s user to send a copy of the quarantined file to the tool’s research team, which should be able to determine whether that file is in fact infected, and if so, whether it can be safely “sanitized” and moved out of quarantine back to its original location in the file system, or whether it needs to be deleted and its pre-infection version restored from backup (or, better yet, from its original medium, e.g., CD). 3.1.2.2 Constrained Execution Environments Constrained execution provides a controlled, (fairly) closed environment in which suspicious or untrusted code can execute with minimum access to other parts of the system, thereby minimizing the impact (and extent of reach) of the executing code if it turns out to be malicious. Use of virtual machines and “sandboxes” and file system access controls can ensure that “untrusted” files entering a server or client can only execute within the configured constrained environment, from which software processes are unable to write to other areas of the system outside that constrained environment; this prevents malware (viruses, worms) from propagating outside the constrained environment. Additional hardware protections, such as read-only memory (ROM) and trusted platform modules (TPM) can be used to further isolate high-confidence, highconsequence code from untrusted code. Use of ROM rather than random access memory (RAM) memory assigned to trusted, critical functions can prevent malicious logic from corrupting that memory. TPMs can be used to run trusted critical system and application software in a physically isolated environment that is physically impenetrable by malicious code downloaded to system areas outside the TPM. 3.1.3 Eradication Eradication—removal of malware and recovery from its effects on operational systems/environments— focuses on sanitizing all systems and devices suspected of harboring the malicious code to eliminate all traces of that code, and to restoring the affected systems to their pre-malware state. The technologies for accomplishing eradication are often built into the same tools that are used to detect malware. However, in the majority of cases, at least some operational restoration measures will also be needed, such as restoration of the system from backup, reinstallation of clean versions of affected software, and also strengthening of detection and prevention countermeasures to reduce the likelihood of future malware infections. IA Tools Report 23 Section 3 Anti-Malware Countermeasures 3.2 Integrating Anti-Malware Countermeasures into IT Security Programs At the system development level, the security architecture for all servers and clients should include the types of hardware/software constrained environments that will minimize those systems’ susceptibility to malware installation, uncontrolled execution, and propagation, and will also accelerate and ease sanitization and restoration of operation after a malware incident. Software and system assurance measures should be included to minimize the possibility and increase the detectability of malicious code that enters the system during its development, distribution, and installation. At the system operational level, countermeasures for detecting and eradicating malware should become standard components of the system’s security “arsenal,” along with firewalls, intrusion detection and prevention systems, etc. Such countermeasures should include network-based, server-based, and client-based countermeasures. At the network level, firewall policies should be adjusted as described below to block inbound traffic suspected of carrying malware. At the server level, countermeasures should include such features as scanning by the email server of inbound and outbound email attachments. At the client/endpoint level, robust anti-virus and anti-spyware tools should be installed, and their usage—including updating of signature files—should be made as easy, transparent, and non-bypassable as possible, so that as little as possible of the organization’s anti-malware effectiveness depends on the end users. The same is true of system configuration and backups that support the lowestimpact recovery from malware incidents. Ideally, the end user’s role should be limited to not getting in the way of the operation of anti-malware tools and related countermeasures. The user should not be expected to participate, except in the most basic, minimal way, in anti-malware tool operation and updating, malware eradication, or post-incident system recovery. Information technology (IT) security programs’ non-procedural elements should also be extended to include physical, policy, and training/awareness 24 IA Tools Report countermeasures that focus on malware prevention. For example, to prevent malicious insiders from inserting malware into stored backups of executables, all media containing software executable images and backups should be stored in locked cabinets or safes to prevent unauthorized physical access. In addition, all servers and network devices should be located in physically access-controlled facilities, to prevent unauthorized physical access by malicious insiders who may abuse direct access to install malware on those servers/devices. Policies that expressly focus on minimizing risk of malicious code being brought into the system from outside should be developed and enforced. For example— XXFirewall policy should be adapted to require blocking of inbound files that are encrypted, steganographically obfuscated, or compressed. This will reduce the risk posed by files that may have been encrypted or obfuscated to prevent malware detection, or files compressed to obscure the true size of their contents (e.g., files containing executable code). XXEmail policy should limit the size of inbound email attachments (with appropriate sizes set for both uncompressed and compressed—if allowed—attachments), HyperText Transfer Protocol (HTTP) and FTP downloads, etc. This will reduce the risk that executable code can be downloaded from the Internet in violation of software installation policies. XXDigital media policies should prohibit the use of thumb drives, removable hard drives, CDs, Digital Versatile (or Video) Discs (DVD), etc., to minimize the likelihood of users inadvertently installing malware carried in “infected” files on removable media brought from home. XXSoftware installation and monitoring policies should strongly deter users from installing unapproved software downloaded from the Internet or copied from CDs. Such policies are enforced through active monitoring of all network-connected systems to ensure that they contain only authorized software. Section 3 Anti-Malware Countermeasures XXPatch management should be beefed up, with security patches distributed on as aggressive a timetable as possible, to narrow the window of opportunity for malware such as Conficker to exploit known vulnerabilities in unpatched systems. Patching will not eliminate zero-day vulnerabilities, but it will significantly reduce risks posed by long-standing vulnerabilities that malware writers will still opportunistically exploit. According to security expert Roger Thompson, government, corporations, and academia are particularly notorious for not applying security patches in a timely manner, if at all. [6] XXSimilarly, other aspects of security vulnerability management need to be reviewed and enhanced. For example, according to Paul Ducklin, head of technology for Sophos Asia-Pacific, warned in March [7] that organizations with weak password construction and management policies would be particularly vulnerable to Conficker, which, if it cannot exploit an unpatched vulnerability, resorts to password cracking to gain access privileges and install itself on a vulnerable system. Clearly virus writers have become very resourceful in finding and exploiting vulnerabilities in the systems they target. Closing obvious holes should be an established policy and practice of every organization and individual computer user. XXUser training in cyber security and “safe” computing should include specific information on issues, such as recognition of malicious code indicators, avoiding cross-site scripting exploits, anti-virus and anti-spyware tool usage, and signature updating. XXAdministrator training should include anti-virus/ anti-spyware tool updating (if such updates are centrally served to users), patching of vulnerabilities that make systems malware-susceptible, response to and recovery from malware incidents, etc. XXDeveloper and integrator training should include software and system assurance principles and best practices, such as secure configuration control, security analysis of custom-developed and third-party components (commercial off-the-shelf [COTS] and open source), and peer reviews and testing to decrease the possibility of malicious code being added to the system, either unintentionally or intentionally, in the first place, but also that any that does get added will be detected and removed before the system is deployed. References 6 See Thompson’s quote at the beginning of the PCMagazine Security Watch blog, “Infected with Conficker? Here’s What to Do,” dated 1 April 2009 and accessed 31 May 2009 at http://blogs.pcmag.com/securitywatch/2009/04/infected_with_ conficker_heres.php 7 Ducklin was quoted by Vivan Yeo of ZDNet Asia in her article “Conficker woes call for strong passwords,” 31 March 2009. Accessed 31 May 2009 at http://www.zdnetasia.com/news/ security/0,39044215,62052730,00.htm IA Tools Report 25 Section 4 4.1 u Anti-Malware Tools Classification of Tools The tools described in the IATAC IA Tools Database can be classified using two different classification methodologies. The first set of classification determines how the tool is used within an organization— XXHost- or endpoint-based—Used to protect individual computer systems. XXNetwork-based—Monitor an organization’s networks for signs of malicious code activity, by actively recording network traffic, analyzing firewall, router and application logs, or performing scans of systems over the network. They may also operate at the network boundary to detect and block malware from entering the network. XXTools-as-a-service—Access to tools in the form of a malicious code detection service accessible over the Internet. Such services are most useful when they augment the use of host/endpoint-based and network-based tools, in order to gain better coverage. Often tools-as-a-service are provided for detection only, with the user required to purchase a license or service in order to eradicate threats found by those tools The second set of classification is based on the mechanisms the tools use to perform their anti-malware detection and response activities— XXMalware detection and removal—Tools that primarily perform detection and removal of malware; subcategories include: virus detection and removal, Trojan detection and removal, spyware detection and removal, and rootkit detection and removal. XXDetection of malware indicators—Tools that rely primarily on behavioral and heuristic anomaly detection and analysis to identify system or program behaviors that are indicative of infection by malicious code XXTrace detection—Tools that scan systems for API hooks and other common traces of the presence of malicious code on the system XXMalicious code analysis—Malware research tools that focus on analyzing malicious code to determine how it is structured and how it operates, usually in support of generating new malware signatures or removal techniques XXMalware honeypot—Tool that captures code originating from a suspicious source or code of an unknown type, and monitors the behavior of that code to determine whether it is, in fact, malicious XXHidden process detection—Tools that detect hidden processes running in the OS or kernel, as such processes often indicate the presence of malicious code 4.2 Tool Selection Criteria The tools selected for inclusion in this Report satisfy the following three criteria— XXDefinition—These tools satisfy the objective, approach, and methodology of an anti-malware tool based on the definition of malware. XXSpecificity to malware—The primary and explicit function of these tools is to reduce the risks and adverse impacts associated with malware, either operationally, by detecting, blocking, isolating and constraining, or removing and recovering from malware attacks, or by enabling analysis and better understanding of malware structure and behavior. XXCurrent availability—The tools that are included in this report are currently available from the Government, academia, or commercial sources, or as freeware on the Internet. In addition to these criteria, the tools selected do not meet any of the criteria for exclusion described in Section 1.2. This means that none of the selected tools— XXAddresses only a single malware instance; XXIs an anti-malware capability built into a larger security tool suite or other software application; XXHas been reported to be or to contain malicious code; IA Tools Report 27 Section 4 Anti-Malware Tools XXAddresses only delivery vectors for malware rather than malware itself; XXIs intended for other or broader purposes, but coincidentally happens to be helpful in reducing malware risk or analyzing malware; XXIs known or strongly suspected to no longer be supported by its supplier or any third party. 4.3 Descriptions of Current Anti-Malware Tools The remainder of this document summarizes pertinent information, providing brief descriptions of available anti-malware tools with contact information for the tool supplier. For the most part, these descriptions are direct copies or adaptations of the suppliers’ own published descriptions of their tools, except when the supplier provided little or no description, in which case third-party information sources such as http://www.chkrootkit.org and http://www.antirootkit.com/ were consulted. Hardware specifications provided here indicate minimum requirements. descriptions originate with the supplier. It is up to the reader to further investigate those tools that appear useful, and to assess their actual capabilities and quality against the claims made by their suppliers. The tools are categorized as follows, and presented in the following sections— XXAnti-malware tools, including— • Anti-virus tools, • Anti-spyware tools, • Anti-rootkit tools, • Antibot, antibotnet, and antizombie tools; XXInstallation blocking, execution termination, and isolation and constraint tools; XXMalware analysis tools; XXOther anti-malware tools that fall outside the categories above. For each tool, the following information is captured: XXAbstract describing the tool; XXTable that includes the information about the tool As stated earlier, IATAC does not endorse, recommend, or evaluate the effectiveness of these tools. Any qualitative judgments implied in the tools’ described below. Tool Name Type The type of tool, or category in which this tool belongs, e.g., “Trojan detection and removal” Operating System The operating system(s) on which the tool runs. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the operating system is embedded in the tool. Hardware The third-party hardware platform(s) on which the tool runs, plus any significant additional hardware requirements such as minimum amount of random access memory or free disk space. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the hardware is incorporated into the tool. License The type of license under which the tool is distributed, e.g., Commercial, Freeware, GNU Public License NIAP Validated An indication of whether the product has received a validation by the National Information Assurance Partnership (NIAP) under the Common Criteria, Federal Information Processing Standard 140, or another certification standard for which NIAP performs validations. If no such validation has been performed, this field will be blank. Common Criteria If the tool has received a Common Criteria certification, the Evaluation Assurance Level and date of that certification. If no such certification has been performed, this field will be blank. Developer The individual or organization responsible for creating and/or distributing the tool URL The Uniform Resource Locator of the Web page from which the tool can be obtained (downloaded or purchased), or in some cases, the Web page at which the supplier can be notified with a request to obtain the tool A note about licenses—Some vendors of tools that have commercial licenses offer free “demo” versions with fixed usage expirations. Only those tools that are truly free (i.e., with no fixed usage duration or other usage restrictions) are listed as “freeware.” Vendors that offer both commercial and freeware versions of their tools, the latter without usage restrictions, are noted as offering commercial tools with freeware versions available. 28 IA Tools Report Section 4 Anti-Malware Tools 4.3.1 Malware Detection and Removal Tools 4.3.1.1 “Broad Spectrum” Anti-Malware Tools The tools described in this section are understood to address more than one category of malware. IA Tools Report 29 Section 4 Anti-Malware Tools Agnitum® Outpost Antivirus Pro Abstract Outpost Antivirus Pro protects digital assets against viruses and spyware, and provides proactive blocking of suspicious and unauthorized behaviors often associated with malware. Outpost Antivirus Pro also ensures that Web sites the user visits cannot surreptitiously serve malware to the user’s PC. Agnitum also includes all Outpost Antivirus Pro capabilities in their Outpost Security Suite, Outpost Network Security, and Outpost Firewall Pro products. 30 IA Tools Report Outpost Antivirus Pro Type Malware detection and termination OS Windows Vista, XP, Server 2008, Server 2003, 2008, 2000 Hardware 450 Megahertz (MHz) central processing unit (CPU) (x-86/x-64/multi-core), 256 Megabytes (MB) RAM, 100 MB free disk space License Commercial NIAP Validated No Common Criteria Developer Agnitum Ltd. (Cyprus or Russian Federation) Availability http://www.agnitum.com/products/ antivirus/index.php Section 4 Anti-Malware Tools ALWIL Software avast! anti-virus Professional Edition Abstract avast! anti-virus Professional Edition is a collection of tools aimed to protect computer systems from viruses, spyware, and rootkits. avast! anti-virus leverages the GMER toolkit (described later in this section) to perform scans for and remove rootkits on a system. Coupled with avast!’s virus and spyware database, users are provided continuous protection against malware. avast! anti-virus Professional Edition Type Malware and rootkit detection and removal OS Windows 95 and later, Linux, Mac OS X 10.3 and later Hardware License Commercial NIAP Validated No Common Criteria Developer ALWIL Software, A.S. (Czech Republic) Availability http://www.avast.com/eng/avast_4_ professional.html IA Tools Report 31 Section 4 Anti-Malware Tools Ashampoo® AntiSpyware 2 Abstract Ashampoo AntiSpyware 2 provides comprehensive protection against hijackers, dialers, spyware, worms, adware, Trojans, keyloggers, and rootkits. The AntiSpyware Guard feature provides automatic updates and daily signature updates. Whitelisting enables individual folders, files, and even “infections” to be excluded from scanning to prevent false alarms; internal encryption algorithms prevent malicious threats from secretly adding themselves to the whitelist. Scans can be scheduled to run automatically or on demand. The tool protects against unknown threats that are detected and blocked with the aid of sophisticated heuristic-analysis algorithms that identify them by their behavior. All suspicious files are moved into quarantine to enable the user to decide whether they should be deleted. A direct online connection to a malware database provides user access to information on detected infections. AutoStart Manager identifies and disables unwanted auto-start programs. The tools also includes a System Process Monitor for monitoring all system processes and disabling them as necessary; the Monitor also monitors Browser Helper Objects (BHO), Winsock Layered Service Providers (LSP), Windows Hosts file, Autostart entries, etc. The LSP-Viewer enables the user to identify installed Winsock attributes, which are often used as an import mechanism for parasite programs. The Hostsfile Checker reports suspicious entries in Hosts file and allows for cleaning up. Internet Cleaner removes up all tracks from the user’s Internet activities, while the File Wiper erases files and folders permanently so they cannot be recovered. IP Spam Blocker provides protection against desktop popup ads. 32 IA Tools Report Ashampoo AntiSpyware 2 Type Malware detection and removal OS Windows 2000, XP, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Ashampoo GmbH (Germany) Availability http://www2.ashampoo.com/webcache/ html/1/product_2_0149___USD.htm Section 4 Anti-Malware Tools Authentium® Command Anti-Virus v5 Abstract Command Anti-Malware scans for viruses, spyware, malware, and other potentially unwanted programs. The tool implements a four-phase detection system to significantly minimize incidence of false-positives. The tool uses heuristics to identify threats based on behavior that uses a neural network learning capability to recognize and block novel threats. The tool’s anti-virus engine simulates the execution of programs to determine which Windows OS calls they attempt to make; this capability runs in a fully quarantined environment entirely segregated from the host OS. The tool provides real-time scanning. Authentium advertises that its malware signature database contains over 800,000 discrete pieces of malicious code. Command Anti-Virus v5 Type Anti-malware detection OS Client—Windows Vista, XP, 2000; Server—Windows XP, Server 2003, 2000 Hardware License Commercial NIAP Validated No Common Criteria Developer Authentium, Inc. Availability https://www.authentium.com/mainv2/ command.htm IA Tools Report 33 Section 4 Anti-Malware Tools AVG 8.5 Internet Security Abstract AVG 8.5 Internet Security includes the following tools— XXAnti-Virus and Anti-Spyware, to detect and remove viruses, worms, spyware and Trojans; XXIdentity Protection, to help protect against identity theft; XXAnti-Rootkit, to detect and remove rootkits; XXWeb Shield, to scan downloaded files and instant messages for malware; XXLinkScanner, to block malicious Web sites; XXAnti-Spam, to filter junk mail and phishing mail; XXFirewall, to protect against network-based threats; XXSystem Tools, to control AVG Internet Security. AVG 8.5 Internet Security leverages real-time scanning and automatic signature updates to protect computer systems against malicious code. 34 IA Tools Report AVG 8.5 Internet Security Type Virus, spyware, and rootkit detection and removal OS Windows 2000 and later Hardware License Commercial NIAP Validated No Common Criteria Developer AVG Technologies CY, Ltd. (Cyprus) Availability http://www.avg.com/ product-avg-internet-security Section 4 Anti-Malware Tools Avira AntiVir® Abstract Avira’s AntiVir detects and eliminates viruses, worms, Trojans, rootkits, phishing, adware, spyware, bots, and prevents dangerous “drive-by” downloads of viruses. The tool also protects against phishing attacks and hidden rootkits. The tool includes an EmailScanner, plus WebGuard protection that prevents connections to known malicious Web sites. The RescueSystem create a bootable rescue CD, while QuickRemoval eliminates viruses with a single mouse click. The tool also provides NetbookSupport for laptops with low resolution. The product comes in Premium and Professional editions, and provides tools to support Windows and UNIX file servers, SharePoint and SAP NetWeaver Web portal servers, Exchange, MIMEsweeper, Domino, and Linux-based mail servers, Proxy servers, and Smartphones, personal digital assistants (PDA), and PocketPCs running Windows Mobile. AntiVir Type Malware detection, blocking, and removal OS Desktop—Windows 2000, XP, Vista File server, Mail Server, Portal Server, MIMEsweeper—Windows 2000 Server, Server 2003, Server 2008, Citrix® Presentation Server, Red Hat Enterprise Linux 4/5 Server, Novell SuSE® Linux Enterprise Server 9/10-10.2, Debian® GNU/Linux 4, Ubuntu® Server Edition 8, Sun Solaris 9/10, Novell Open Enterprise Server Proxy server—Windows 2000, 2003 Mobile on PocketPC—Windows 2000, XP, Vista on PocketPC Mobile on Smartphone or PDA— Windows Mobile 2003, 5, 6.1 Hardware File server for Solaris—UltraSparc IIi 650 Portal server for UNIX/Linux or Windows— Pentium III 500 MHz Portal server for Solaris—UltraSparc IIi 650 Mobile—Pentium II+ PocketPC, Advanced Reduced Instruction Set Computer Machine, Intel x86 Smartphone, or PDA License Commercial NIAP Validated No Common Criteria Developer Avira GmbH (Germany) Availability http://www.avira.com/en/products/index.html IA Tools Report 35 Section 4 Anti-Malware Tools AxBx Software Solutions VirusKeeper 2009 Abstract VirusKeeper provides a real-time threat detection engine that monitors all executing processes and programs in memory, system files, registry, and input/output ports for suspicious activity. VirusKeeper® is compatible with other anti-malware software, enabling users to increase the effectiveness of their malware detection and removal countermeasures. 36 IA Tools Report VirusKeeper 2009 Type Suspicious process detection and monitoring OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer AxBx Software Solutions (France) Availability http://www.viruskeeper.com/us/index.htm Section 4 Anti-Malware Tools Beijing Rising International Software Rising Antivirus 2009 Abstract Rising Antivirus protects PCs against viruses, Trojans, worms, rootkits, and other malicious programs by monitoring both active files and inbound (POP3) and outbound (simple mail transfer protocol [SMTP]) email messages and attachments, as well as Web communications (the tool automatically blocks malicious Web scripts and HTTP-borne viruses). The tool includes patented Unknown Virus Scan&Clean technology and patented Smartupdate technology. Users can communicate with the Beijing Rising virus lab to establish a rapid response network for quickly catching Trojans and other malware. The tool’s System Reinforcement capability also monitors and protects OS vulnerabilities from exploitation by malware. Its Malicious Behavior Interceptor monitors the operational status of applications and running programs for signs of possible malicious behavior, which it blocks. The tool also scans and blocks malware on Universal Serial Bus (USB) media, CDs, DVDs, and network drives. The tool can be integrated with instant messengers, download managers, and other utilities and applications. Beijing Rising also offers an online “Express Edition” virus-scan-as-a-service using its Rising Antivirus software to systems running Internet Explorer® (IE); this service requires installation of an ActiveX application provided by Beijing Rising. Rising Antivirus Type Malware detection and removal OS Windows 2000, XP, 2003, Vista Hardware Vista—1 Gigahertz (GHz) CPU (32- or 64-bit), 512 MB RAM (up to 4 Gigabyte [GB]); Other OS—Pentium 500 MHz, 64 MB RAM; All—SVGA monitor with 24-bit true color License Commercial (freeware version available; see Rising PC Doctor in Section 4.3.1.2) NIAP Validated No Common Criteria Developer Beijing Rising International Software Co., Ltd. (China) Availability http://www.rising-global.com/products/ Rising-Antivirus-2009.html IA Tools Report 37 Section 4 Anti-Malware Tools BitDefender AntiVirus 2009, GameSafe, and Mobile Security v2 Abstract AntiVirus 2009 uses separate scanning engines for different types of files and malware. These plug-ins are loaded on-demand as file systems or malware types are observed on the system. By leveraging a modular architecture, BitDefender’s AntiVirus products can be run across a wide range of environments, including mobile devices. AntiVirus 2009 scans all Web, email, and instant messaging traffic for viruses and spyware, updates itself hourly to ensure near-real-time detection, and uses heuristics to proactively protect against new virus and spyware outbreaks. AntiVirus 2009 also includes a number of other cyber security features, such as anti-spam and anti-phishing protection, intended to reduce risks associated with Internet usage (and, in GameSafe, online gaming) that can make it easier for malicious code to enter a system. BitDefender includes the same core anti-virus technology in its other standalone AntiVirus products, including— XXMobile Security v2—provides virus scanning for mobile devices running the Symbian or Microsoft® Windows Mobile® OS; XXGameSafe—intended for use on computers used in online computer gaming. It adds to the BitDefender® AntiVirus capability the ability to detect and remove rootkits; XXFree Edition—a “lightweight” version of AntiVirus 2009 that provides the same anti-virus capabilities, but none of the additional cyber security features of AntiVirus 2009. Free Edition provides an on-demand and schedule-driven virus scanner that uses the same scanning engines and quarantine capabilities found in other BitDefender products. 38 IA Tools Report BitDefender’s anti-virus technology is also included in the company’s multifunction Internet Security and Total Security cyber security and enterprise security management suites, and is used by BitDefender® Online Scanner (described in Section 4.3.7). AntiVirus 2009 Type Virus and spyware detection and removal OS Windows XP, Vista, Home Server Hardware 800 MHz CPU; 256 MB RAM for XP (512 MB recommended), 512 MB for Vista or Home Server (1 GB recommended); 170 MB free disk space (200 MB recommended) License Commercial (freeware option available with Free Edition) NIAP Validated No Common Criteria Developer BitDefender (Romania) Availability http://www.bitdefender.com/PRODUCT2216-en--BitDefender-Antivirus-2009.html http://www.bitdefender.com/PRODUCT-14en--BitDefender-Free-Edition.html GameSafe Type Virus, spyware, and rootkit detection and removal OS Windows 2000 with Service Pack 4; XP with Service Pack 2 (32/64 bit); Vista (32/64 bit) Hardware License Commercial NIAP Validated No Common Criteria Developer BitDefender (Romania) Availability http://www.bitdefender.com/PRODUCT2213-en--BitDefender-GameSafe.html Section 4 Anti-Malware Tools Mobile Security v2 Type Virus detection and removal OS AntiVirus—Windows Mobile PocketPC 2002 and higher; Mobile Smartphone 2002 and higher; Symbian® 60 7.x/8.x; Symbian 80 7.x Note: Symbian 60 9.x is not supported. PC Update Module—Windows® 2000 or XP Hardware AntiVirus software—HP iPAQ 1915, HP iPAQ 3115, Dell Axim® x50v, T-Mobile MDA, Qtek S200, etc.; Motorola MPx220, Orange SPV C600, etc.; Nokia 3230, 6600, 6680, N70, N90, etc.; Nokia 9300, 9500, etc. Note: The following Nokia phones are not supported—3250, 5500, 6290, E50, E60, E70, N91, N95 PC Update Module—Pentium MMX 200 MHz; 64MB RAM Memory (128MB recommended); 40 MB free disk space License Commercial NIAP Validated No Common Criteria Developer BitDefender (Romania) Availability http://www.bitdefender.com/PRODUCT-2149en--BitDefender-Mobile-Security-v2.html IA Tools Report 39 Section 4 Anti-Malware Tools CA [9] Anti-Virus Plus Anti-Spyware 2009 Abstract This tool packages the CA Anti-Virus 2009 and Anti-Spyware 2009 products into a single integrated application. These tools are described individually in Sections 4.3.2 and 4.3.3. Anti-Virus Plus Anti-Spyware 2009 Type Malware detection and removal OS Windows 2000, XP, or Vista Hardware 300 MHz CPU (800 MHz for Vista), 256 MB RAM (512 MB for Vista), 35 MB free disk space License GNU [10] Public License (GPL) NIAP Validated No Common Criteria 40 IA Tools Report Developer CA Availability http://shop.ca.com/virus/anti-virus_plus.aspx Section 4 Anti-Malware Tools Central Command Vexira® Antivirus Abstract Vexira Antivirus provides real-time protection of computers against viruses, worms, Trojans, adware, spyware, and hostile ActiveX and Java applications. The tool runs in interactive and automatic modes and performs both signature-based and heuristic virus scanning with definable levels. On UNIX/Linux, the tools performs multi-thread virus scanning, enables users/administrators to enable/disable boot scanning at will and use the configuration file for common task, and perform virus quarantine management via the command line. Server + i] and Postfix, Exim, Sendmail, SMTP/Relay [supported by Vexira Antivirus for Mail Server). Vexira Antivirus for Workstation/Desktop scans email messages and attachments and intercepts and scans Internet-accessed Web pages before allowing them to be rendered in the user’s browser. The tool also enables users/administrators to lock down the tool’s configuration, preventing tampering with or modification to the tool’s preset data security profile. The Central Management Solution enables Vexira Antivirus for Windows Workstation/Desktop clients at several physical sites to be centrally managed from a single management station. Central Command offers Vexira Antivirus for Workstation/Desktop, Server, and Mail Server (including Sendmail, Milter, Postfix, Qmail, Courier, Groupwise [supported by Vexira Antivirus for Mail Vexira Antivirus Type Malware detection and removal OS For Workstation/Desktop—Windows 98, ME, NT, 2000, XP; for Windows Server—Windows NT 4 Server, 2000 Server, 2003 Server; for Novell Server—Netware 4.1+ latest Support Pack; Groupwise version requires Groupwise 5.x; anti-spam capabilities requires Novell Netware 5.1+ latest Support Pack 4 or Netware 6 Support Pack 1; for Samba Server—Linux (i386) glibc 2.2.5 Kernel 2.2.1+; SunOS 5.7+; Solaris 7+ with Samba 2.2.1-3.0.11 (Samba 2.2.1-2.2.2 need export symbols); for Solaris Server—Sun Solaris 9 or SunOS 5.9; for Advanced Interactive eXecutive (AIX®) Server— AIX 4.3.3, 5.2 + Maintenance level 10; for Linux/UNIX Server—Linux (glibc 2.2.5, kernel 2.2.x), FreeBSD 4.9 or 5.3,, OpenBSD 3.4 or 3.6; for Mail Server (Postfix, Exim, Sendmail, SMTP/Relay)—Linux (i386) glibc 2.2.5 Kernel 2.2.1+, FreeBSD 4.9, 5.3, OpenBSD 3.4, 3.6, Sun Solaris 9 / SunOs 5.9, AIX 4.3.3 + Maintenance level 10; for Mail Server + i—Linux (i386) glibc 2.2.5 Kernel 2.2.1+; FreeBSD 4.9, 5.3 (2005 version only); OpenBSD 3.4, 3.6; AIX 4.3; Solaris. Sendmail from version 8.12; Qmail from version 1.03; Groupwise 7 (on Linux); Central Management Solution— Windows NT 4 Server, 2000 Server, 2003 Server; Microsoft Jet 4 database engine required Hardware Versions for Windows/NetWare—Intel-compatible 200 MHz+ CPU, 64 MB RAM, 30 MB free disk space (Groupwise version requires 40 MB); for Samba Server— Intel-compatible 300 MHz+ CPU or Ultra SPARC IIe 500 MHz, 64 MB RAM (Intel)/128 MB RAM (SPARC), 30 MB free disk space; for Solaris Server—UltraSparc IIe 500 MHz, 128 MB RAM, 10 MB free disk space; for AIX Server—PowerPC II (G3), 256 MB RAM, 10 MB free disk space; for Linux/UNIX Server—Pentium 200 MHz CPU, 32 MB RAM, 10 MB free disk space; for Mail Server on Linux—Pentium 200 MHz with 32 MB RAM; On Solaris—UltraSparc IIe at 500 MHz with 128 MB RAM; for Mail Server on AIX—PowerPC II (G3) with 256 MB RAM; All—50 MB free disk space; for Mail Server + i—Pentium 300 MHz, 128 MB RAM, 32 MB free disk space; Central Management Solution—Pentium 400MHz, 128 MB of RAM, 150 MB free disk space + 2 MB of temporary space License Commercial NIAP Validated No Common Criteria Developer Central Command, Inc. Availability http://www.centralcommand.com IA Tools Report 41 Section 4 Anti-Malware Tools ClamWin Free Antivirus 0.95.1 Abstract Free Antivirus features a high detection rate for viruses and spyware via on-demand and scheduled scans. Free Antivirus uses ClamAV® (described later in this section) as its anti-virus engine, to which it adds a Windows-based interface for ease of use. The product provides both on-demand and scheduled scans for viruses and spyware. 42 IA Tools Report Free Antivirus 0.95.1 Type Virus detection and termination OS Windows® 98, ME, 2000, XP, 2003, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer ClamWin Pty. Ltd. (Australia) Availability http://www.clamwin.com Section 4 Anti-Malware Tools Comodo Security Solutions BOClean Abstract BOClean automatically detects and removes malware from memory, hard disks, and registries. BOClean installs itself as part of the OS, allowing it to detect and prevent malware from installing itself instantaneously. BOClean comes with the following features— XXDestroys malware and removes registry entries; BOClean Type Malware detection and removal OS Windows 2000 and XP (all versions) Hardware License Commercial NIAP Validated No Common Criteria XXDoes not require a reboot to remove all traces; Developer Comodo Security Solutions, Inc. XXDisconnects the threat without disconnecting Availability http://www.comodo.com/boclean/boclean. html the system from the network; XXGenerates optional report and a safe copy of evidence; XXAutomatically scans in the background; XXConfigurable “Stealth Mode” hides BOClean from users; XXUpdates automatically from a network file share; XXProtects itself from tampering and shutdown by malware; XXDaily malware database updates from Comodo’s Web site; XXUpdate file can be shared/pushed from a central server to ease maintenance; XXEnables optional rollback to earlier versions of the tool. Comodo also includes BOClean in its Internet Security tool suite. IA Tools Report 43 Section 4 Anti-Malware Tools CurioLab Exterminate It! Abstract Exterminate It! performs comprehensive detection and removal of worms, Trojans, rootkits, and other malware, including the most recent and previously unknown (undetected) threats. Exterminate It! includes “Submit State” functionality, which enables the user to generate and submit detailed info on the state of his/her PC to CurioLab, which will include a remedy for the detected malware in the next database update (database updates are sent to subscribers every 24 hours). 44 IA Tools Report Exterminate It! Type Malware detection and removal OS Windows 2000, XP, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer CurioLab Availability http://www.exterminate-it.com Section 4 Anti-Malware Tools Doctor Web Dr.Web Anti-virus Abstract Dr.Web Anti-virus detects viruses, Trojans, spyware, all known rootkits, stealth viruses, and other types of malware. The tool can be launched from a removable medium (CD or USB drive) without being installed on the target system. It can then operate on even an infected computer, to scan boot sectors, RAM, hard drives, and removable drives, and sanitize infected files, restoring them to their original state instead of deleting them, without use of additional utilities. The tool’s virus databases can be updated during installation, and can be set to update automatically, on demand, or according to a schedule. Dr.Web Anti-virus includes SpIDer Mail, which scans mail traffic “on the fly” to ensure that only clean messages are forwarded to recipients, free of malicious code or infected attachments. The Virus activity control feature protects a system against mass mailings performed by mail worms. SpIDer Mail examines components of a message and considers sending time to determine if an outgoing message is a part of malicious activities in a system. Individual rules can be created for different types of malicious programs, including viruses, riskware, adware, hack tools, paid dialers, and jokers. SpIDer Mail supports SMTP, Post Office Protocol (POP), Network News Transfer Protocol (NNTP), and Internet Message Access Protocol (IMAP) mail protocols. The tool comes in versions for Windows, Linux, Novell NetWare, Windows Mobile, and a package for Windows + Linux. The tool also comes in versions for email servers, including Microsoft Exchange, IBM Lotus Domino, UNIX mail systems (multiple), and ClearSwift MIMEsweeper. There are also Dr.Web Antivirus products for SMTP Web Mail gateways and Internet gateways. Dr.Web’s Antivirus software is also included in their more extensive Security Space and Enterprise Suite cyber security products. Dr. Web also provides console scanners are available for older OSs, including Microsoft Disk Operating System (DOS), OS/2, and older versions of Windows. Dr.Web Anti-virus Type Malware detection and removal OS Windows—Windows 95, 98, ME, NT, 2000, XP, Vista (32-bit only) Linux—All distributions with glibc-2.2-2.7 (32-bit only). NetWare—NetWare v.3.12-6.5 Windows Mobile—Windows Mobile 2003, 2003 SE, 5.0, 6.0-6.1 Exchange, Lotus Domino, MIMEsweeper— Windows Server 2000, 2003, or later UNIX Mail—All distributions with glibc 2.2-2.7 Web Mail, UNIX Internet gateway—All distribution with glibc 2.2-2.7, FreeBSD 4.x+, Solaris 10 Kerio WinRoute Internet gateway— Windows 2000, XP, 2003, 2008 Hardware Linux—2.5 MB free disk space NetWare—25 MB RAM + 25 RAM for each extra scanning process, 20 MB free disk space Windows Mobile—any Communicator or PocketPC running Win Mobile OS Exchange—Pentium 133 MHz (733 MHz recommended), 256 MB RAM (512 MB recommended), 20 MB free disk space (+50 MB for logs, 500 MB for log archives) Lotus Domino—Pentium 133, 64 MB RAM (128 MB recommended), 20 MB free disk space MIMEsweeper—35 MB free disk space Kerio WinRoute Internet gateway—30 MB free disk space Note: Solaris 10 supported on Pentium only, not on SPARC. License Commercial [11] NIAP Validated No Common Criteria Developer Doctor Web Ltd. (Russian Federation) Availability http://products.drweb.com/win/choose IA Tools Report 45 Section 4 Anti-Malware Tools DriveSentry SecuritySuite and GoAnywhere Abstract DriveSentry provides anti-virus, anti-malware, and anti-spyware protection for PCs and for removable storage devices (such as USB memory keys, portable drives, flash cards), and network drives. Subscribers receive real-time signature updates (lifetime—no subscription required). SecuritySuite and GoAnywhere recognize over one million unique malware signatures, and automatically block and quarantine known viruses, Trojans, and malicious code. The tool’s patented Tri-Security technology detects the latest threats that bypass traditional security software even without regular signature updates. Users are also able to control which applications and software access their systems and personal data via combined white-listing technology and real-time black-listing advice from the DriveSentry Advisor Community; this ensures that only trusted programs can access the protected PC or device and prevents damage from zero day threats that go undetected by conventional anti-virus software. SecuritySuite also provides “drag and drop” Advanced Encryption Standard (AES) 256-bit data encryption, file synchronization, and backup of data stored on removable devices to PC. 46 IA Tools Report SecuritySuite and GoAnywhere Type Malware detection and removal OS SecuritySuite—Windows 2000, XP, Server 2003, Vista Hardware Devices supported—compact Flash, SecureDigital (SD) card, Sony MagicGate, iPod®, other memory cards, media players, mobile phones, digital camera media, removable PDA memory. USB flash drives. License SecuritySuite—Commercial; GoAnywhere—Freeware NIAP Validated No Common Criteria Developer DriveSentry, Inc. Availability http://www.drivesentry.com/drivesentrysecurity-suite.html http://www.drivesentry.com/AntiVirusFirewall-gofeatures-for-computers-andremovable-media.html Section 4 Anti-Malware Tools Emsi Software A-squared Abstract A-squared relies on both signature-based and behavior-based detection to identify malware on users’ systems. A-squared blocks access to known-malicious Web sites and provides signature updates at least five times per day to ensure that users’ protection is fully up-to-date. A-squared uses the Malware Intrusion Detection System (available as a pure malware detection tool as Mamutu), which does not rely on heuristics. The Malware Intrusion Detection System watches important system files and gives the user the option to allow or deny any changes to those files. A-squared Type Malware detection and removal; Behavior analysis for malware indicators OS Windows XP and later Hardware License Commercial NIAP Validated No Common Criteria Developer Emsi Software, GmbH (Austria) Availability http://www.emsisoft.com/en/software/ anti-malware IA Tools Report 47 Section 4 Anti-Malware Tools Emsi Software Mamutu 1.7.0.27 Abstract Mamutu monitors all active programs for dangerous behavior, and recognizes and blocks all potentially dangerous programs, including new, zero-day, and unknown Trojans, worms, and viruses for which signatures are not yet available. Mamutu’s behavior-based detection and analysis does not use a fingerprint or signature to recognize dangerous software, but rather detects it on the basis of the behavior of the software. This approach enables Mamutu to recognize new malware without daily updating of the tool, and long before other tools’ signature databases have been updated. 48 IA Tools Report Mamutu 1.7.0.27 Type Malware detection and removal OS Windows 2000, XP, 2003 Server, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Emsi Software GmbH (Austria) Availability http://www.mamutu.com/en/software/ mamutu Section 4 Anti-Malware Tools ESET® NOD32® Antivirus Abstract NOD32 Antivirus 4 provides comprehensive protection against viruses, Trojans, worms, adware, spyware, rootkits, and other malware threats. The tool’s ThreatSense® technology provides protection against novel and unknown threats. In addition to scanning standard Web and email channels, NOD32 Antivirus inspects secure sockets layer (SSL)-encrypted communication channels (e.g., HTTPS and POP3S) and scans compressed files to find hidden threats. The tool provides email scanning for Microsoft Outlook®, Outlook Express, Mozilla® Thunderbird®, Windows Live Mail, Windows Mail, and other POP3/IMAP mail clients. For self-running media, NOD32 Antivirus scans autorun.inf and associated files when the medium is inserted, as well as any file on any removable device when it is accessed, or during a full-scan of the media. Users can adjust NOD32 Antivirus to perform additional customized and on-demand scans of removable media. The tool also includes SysInspector and SysRescue functions for diagnosis and sanitization of infected systems via deep scans of system processes to find hidden threats, and creation of a bootable rescue CD/DVD or USB drive to help in the repair of an infected computer. The tool’s built-in Self Defense technology prevents malicious software from corrupting or disabling the tool itself. The Business Edition of NOD32 Antivirus includes all the features described above plus host-based intrusion prevention, remote administration via a single console, external drive access control and scanning, Cisco® Network Admission Control compatibility, and enhanced logging and reporting functions to support compliance requirements. The Mobile Antivirus version detects, quarantines, and removes known viruses, spyware, adware, Trojans, worms, rootkits, and other unwanted software carried by email attachments and other files accessed via wireless links (e.g., Bluetooth, WiFi, General Packet Radio Service, Enhanced Data rates for Global system for mobile Evolution) by smartphones and PocketPCs. Heuristic-based detection protects against unknown threats between signature updates. Mobile Antivirus scans memory and running processes, onboard files, and removable media. It also enables use of whitelists and blacklists to blocks text messages and short message service (SMS) spam from unknown and unwanted senders. Mobile Antivirus has low CPU, memory requirements, and compact updates that minimize data bandwidth usage. Signature updates can be downloaded on-demand or at pre-set intervals (daily, weekly, monthly). NOD32 Antivirus Type Virus and anomaly detection and termination OS Antivirus 4 —Windows 2000, XP, Vista (32-/64-bit) Antivirus 4 Business Edition—Windows 2000 Professional and Server 2000, Server 2003, Server 2008, XP, Vista (32-/64-bit) Mobile Antivirus—Windows Mobile 5.0, 6.0, 6.1 Hardware Antivirus 4—Intel or Advanced Micro Devices (AMD) x86/x64 CPU, 44 MB RAM, 63 MB available disk space Mobile Antivirus Tested on—HP iPAQ 116 PDA, HTC Advantage/Faraday (Cingular® 2125, unlocked)/Touch (Verizon XV6900)/ TyTN® (Cingular 8525)/TyTN II (AT&T Tilt), Palm Treo® 750, Pantech® Duo (unlocked), Samsung BlackJack II (unlocked), Sony Xperia® X1 (unlocked), UTStarcom® XV6700 (Verizon® XV6700), XDA Atom Life All—1 MB RAM Note: Incompatible with Asus® MyPal A696 PDA, iMate SPL (PhoneOne S101), Samsung SGH-i900 (Fplayer Addict) License Commercial NIAP Validated No Common Criteria Developer ESET (Slovakia) Availability http://www.eset.com/products/nod32.php http://www.eset.com/products/ mobileantivirus.php IA Tools Report 49 Section 4 Anti-Malware Tools Filseclab Twister Anti-TrojanVirus Abstract Twister Anti-TrojanVirus is an anti-Trojan, anti-virus, anti-rootkit, and anti-spyware tool that uses a combination of signature-based scanning and behavior analysis to detect Trojans, spyware, viruses, hackers, adware, and other malware threats. It supports the Windows Security Center and right-click scanning from the Explorer context menu. It supports scanning of files compressed using the following compression formats: zip, rar, ace, cab, chm, and eml. Twister’s Registry Protector protects the PC’s Windows registry in real time, and its Registry Fix Tools can quickly fix many frequently occurring problems in Windows and IE. The Spyware Removal Assistant utility simplifies removal of stubborn Trojans and spyware. The virus definition live update and automatic update enables the tool to detect and remove the most recent Trojans, spyware, and viruses. 50 IA Tools Report Twister Anti-TrojanVirus Type Malware detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Filseclab (China) Availability http://www.filseclab.com/eng/products/ twister.htm Section 4 Anti-Malware Tools Finport Technologies Simple Antivirus v2.1 and Corporate v2.4 Beta Abstract Simple Antivirus detects all known viruses, worms, adware, spyware, and other malware and monitors RAM and file system for malware-related activity. Updating the virus definition database can be performed via a direct network connection to the virus definitions database or through a proxy-server. Simple Antivirus Type Malware detection OS Windows XP and Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Finport Technologies (Ukraine) Availability http://www.simple-avr.com.ua/ IA Tools Report 51 Section 4 Anti-Malware Tools FireEye® 4200 Web Malware & Botnet Security System Abstract The FireEye 4200 is a self-contained, rack-mountable network security appliance that detects botnets and Web-based malware, including malware that uses techniques like polymorphism and obfuscation. Using the FireEye Analysis & Control Technology engine, the FireEye 4200 can analyze real-time network traffic replayed within virtual machines to accurately detect zero-day malware and botnets, and to capture inbound malware forensics to aid in infection analysis and remediation. Outbound callback fingerprinting enables identification of previously infected PCs calling out to malicious parties. The appliance connects to the FireEye Malware Analysis & Exchange Network to gain additional signatures, callback coordinates, and botnet intelligence. 52 IA Tools Report FireEye 4200 Web Malware & Botnet Security System Type Malware and botnet detection and removal OS n/a Hardware n/a License Commercial NIAP Validated No Common Criteria Developer FireEye, Inc. Availability http://www.fireeye.com/products/index.html Section 4 Anti-Malware Tools F-Secure Anti-Virus 2009 Abstract Anti-Virus 2009 includes an anti-virus tool, anti-spyware tool, and a personal firewall to protect computer systems against malware. Leveraging F-Secure’s DeepGuard 2.0 technology, which uses network-enabled pre-recognition of malicious and benign software, Anti-Virus 2009 aims to reduce the level of user interaction required to protect against unknown malware outbreaks. F-Secure also includes Anti-Virus 2009’s capabilities in its Internet Security 2009 product, which adds a Web firewall that prevents browsers from connecting to malicious Web sites—thereby avoiding the installation of malicious code via “drive-by downloads.” Anti-Virus 2009 Type Virus and spyware detection and removal OS Windows 2000, Vista (32- and 64-bit), XP Hardware XP/2000 —Pentium III 600 MHz or higher, 256 MB RAM; 600 MB available disk space; high-speed Internet connection Vista—512 MB RAM; 600 MB available disk space; high-speed Internet connection License Commercial NIAP Validated No Common Criteria Developer F-Secure Corporation (Finland) Availability http://www.f-secure.com/en_EMEA/ products/home-office/antivirus IA Tools Report 53 Section 4 Anti-Malware Tools Greatis Software UnHackMe 5.0 Abstract The main difference between UnHackMe and other anti-rootkit software is the detection method. UnHackMe tries to detect the hidden rootkits by watching the computer from early study of the boot process until the normal Windows mode. Most modern anti-rootkit programs try to detect the rootkits when the rootkit is already active. They use the very complex methods for detecting hooked system functions, but the rootkit author creates the new tricks, and the process repeats. UnHackMe 5.0 Type Malware detection and removal OS Windows 2000/2003/XP/Vista; Windows NT 4.0 may or may not still be supported Hardware Pentium 100 CPU or better with 8 MB RAM and 1-2 MB of free disk space License Commercial (older version free with registration). Available licenses—single user, family, business, family+business, roaming, and professional NIAP Validated No Common Criteria 54 IA Tools Report Developer Greatis Software (Russian Federation) Availability http://www.greatis.com/unhackme/ download.htm Section 4 Anti-Malware Tools HAURI ViRobot Desktop 5.5, GatewayWall, Exchange 3.0, Windows Server 3.5, SDK Abstract ViRobot performs real-time monitoring and filtering of email, IM, files, and Internet transmissions found to contain viruses, worms, spam, malicious scripts, etc. Its Viruswall function enables virus scanning and logging policy to be configured at the shared folder, process, or network level. The tool also detects and removes spyware and adware. The tool includes quarantine functions that move infected files and email messages, as well as spam messages, to a secure isolated area. Finally, the tool performs vulnerability analyses to ensure that the system’s patches are all up to date, to minimize the presence of vulnerabilities that are exploitable by malware. ViRobot GatewayWall blocks spam and virusinfected email at the mail server to prevent them from ever reaching the user’s desktop. The tool can scan 14 compression file types, including .zip, .jar, .lha, .rar, .cab, .ace, .zoo, .gz, .tar, .z, .tgz, and .taz, as well as UUencoded and MIME-encoded email attachments, at each level of compression or encoding of multicompressed/multi-encoded files. When viruses are found, they are removed at all levels. ViRobot Exchange provides comparable functions on Microsoft Exchange mail servers, on which ViRobot’s anti-virus engine is tightly integrated with Microsoft’s virus scanning API (2.0 or 2.5); the tool scans mail transmitted by all major protocols, including SMTP, MAPI, HTTP (Webmail), POP3, and IMAP4, and supports all mail clients using those protocols, including Outlook Express, and Outlook. document management systems, Web servers, firewalls, proxy servers, groupware) ViRobot’s anti-virus engine, quarantining, and other function modules. ViRobot Desktop 5.5, Gateway Wall, Exchange 3.0, Windows Server 3.5, SDK Type Malware detection, blocking, and quarantine OS Desktop—Windows Vista, XP, 2000, NT, running IE 6.0, TCP/IP networking; GatewayWall—Windows 2000 Server or 2003 Server, Linux, UNIX; Exchange— Windows 2000 Server/Advanced Server/ Exchange Server, Windows Server/ Exchange Server 2003; Windows Server—Windows Server 2000, 2003, 2008, IE 5.5, TCP/IP networking; SDK—HP-UX 11.x, AIX 3.x.x, FreeBSD, Solaris v5-v8, Linux 6.x-7.x, Windows (XP, 2000, NT 4.0) Hardware Desktop—Pentium III 500 MHz, 512 MB RAM, 300 MB free disk space; GatewayWall—Pentium III 800 MHz, 256 MB RAM, 1 GB free disk space, mouse, CD drive, network connection; Exchange—Pentium 500 MHz, 256 MB RAM, 100 MB free disk space, CD drive, network connection; Windows Server— Pentium III 300 MHz, 256 MB RAM, 800 MB free disk space License Commercial NIAP Validated No Common Criteria Developer HAURI Inc. (Korea) Availability http://www.hauri.net/product ViRobot Windows Server 3.5 performs comparable virus detection for files stored on Windows file servers ViRobot Software Development Kit (SDK) enables developers or integrators to port, customize, and/or integrate (e.g., with IE-mail, USB mass storage, other data storage, knowledge management, electronic IA Tools Report 55 Section 4 Anti-Malware Tools iolo® AntiVirus Abstract iolo AntiVirus provides integrated email protection that automatically scans inbound and outbound email messages for viruses, worms, Trojans, and other malware threats, and removes discovered malware from infected messages. AntiVirus also performs on-demand, full-system anti-virus scanning to find and remove malware that is already installed and running on the PC. iolo® provides hourly updates to their virus threats database. 56 IA Tools Report iolo AntiVirus Type Malware detection and removal OS Windows 2000, SP, Vista Hardware 256 MB RAM, 30 MB available hard disk, CD or DVD drive, Internet connection License Commercial NIAP Validated No Common Criteria Developer iolo technologies, LLC Availability http://www.iolo.com/ss/ Section 4 Anti-Malware Tools Jiangmin Antivirus Software KV2009 Abstract KV2009 provides a “highly optimized” anti-virus engine and a combination of proactive defense techniques that enable it to detect and remove over one million kinds of viruses, including Trojans, worms, backdoors, spyware, and hijackers. Its “Anti-Trojan for Webpage” feature prevents PCs from visiting Web pages that might infect them. Jiangmin also offers a version of their product for removable devices (Moving Picture Experts Group [MPEG] audio layer Three [MP3] players, USB Flash disks, removable storage devices) and for smartphones (viruses spread via multimedia dissemination protocols). Antivirus Software KV2009 Type Malware detection and removal; malicious site blocking OS Windows NT, 2000, XP, ME, Server 2003, Vista Hardware XP—Pentium 800 MHz, 256 MB RAM Vista—Pentium 800 MHz 32 bit (x86)/64 bit (x64), 512 MB RAM All—50 MB free disk space; CD-ROM drive, computer mouse, Internet connection License Commercial (freeware version available) NIAP Validated No Common Criteria Developer Jiangmin SciTech (China) Availability http://global.jiangmin.com/productskv.htm IA Tools Report 57 Section 4 Anti-Malware Tools K7 Computing AntiVirus 7.0 Abstract AntiVirus 7.0 scans PCs and email to detect viruses, worms, Trojans, spyware, and adware, with potential threats cross-referenced with the latest virus databases. AntiVirus 7.0 makes regular automatic updates and background system scans. All new files accessed, downloaded, created, or modified are automatically scanned in real time. The anti-spyware feature prevents unwanted programs from installing themselves without user approval. Additional anti-malware functionality stops the installation of malware such as Trojans, worms, rootkits, adware, and keylogger exploits. 58 IA Tools Report AntiVirus 7.0 Type Malware detection and removal OS Windows 98 2nd Edition, ME, 2000 Professional, XP, Vista Hardware 128 MB RAM, 60 MB free disk space, Internet connection License Commercial NIAP Validated No Common Criteria Developer K7 Computing (India) Availability http://www.k7computing.com/index.php/ anti-virus/k7-antivirus-70.html Section 4 Anti-Malware Tools Kaspersky® Anti-Virus 2009 Abstract Anti-Virus 2009 provides anti-virus and anti-spyware protection to guard against viruses, Trojans, and worms, spyware , adware, and rootkits, as well as identity theft and phishing attacks. Features include— Anti-Virus 2009 Type Malware detection and removal OS Windows XP, Vista Hardware XXProtection for instant messengers; XP—Pentium 800 MHz, 256 MB RAM Vista—Pentium 800 MHz 32 bit (x86)/64 bit (x64), 512 MB available RAM All—50 MB free disk space, CD-ROM, computer mouse, Internet connection XXProtection against unknown threats; Note: Optimized for Intel Centrino® Duo. XXScanning of files, email, and internet traffic; XXAnalysis and remediation of IE vulnerabilities; XXDisabling of links to known malware and phishing sites; XXGlobal threat monitoring provided via Kaspersky® Security Network; XXBlocking of all types of keyloggers; XXAutomatic updates of the tool’s signature database. License Commercial NIAP Validated No Common Criteria Developer Kaspersky Lab (Russian Federation) Availability http://usa.kaspersky.com/store Kaspersky Lab also includes its anti-virus technology in its Internet Security, Mobile Security, and Security for Ultra Portables products. IA Tools Report 59 Section 4 Anti-Malware Tools Lavasoft® Ad-Aware® Abstract All commercial versions of Ad-Aware protect against viruses, spyware, Trojans, worms, malware, rootkits, dialers, and other malware. Ad-Aware Free protects only against spyware/adware. Ad-Aware’s Pro core engine uses behavior-based heuristic detection techniques. The tool also blocks outbound connections to blacklisted IP addresses (i.e., of known malicious Web sites) and blocks or suspends malicious processes and infected files detected on the system. Ad-Aware detects attempted registry changes and alerts the user when a program tries to make changes to the Registry, allowing the user to block the threat or allow access. The tool scans not only the local system, but also any connected external storage devices, iPods, DVDs, USBs, or network drives. On-demand scans can be pinpointed down to the individual file level. The tool performs detection, removal, and clean-up after removal of malware. Ad-Aware includes a rootkit removal system. The tool comes with the Lavasoft Toolbox of monitoring and reporting tools and system utilities. Ad-Aware’s database includes over two million known threats, and provides continuous pulse updates. Lavasoft offers Ad-Aware in four different packages— XXAd-Aware Plus—Includes adware detection and removal and anti-virus protection; XXAd-Aware Pro—Also includes adware detection and removal and anti-virus protection; XXAd-Aware Enterprise 2.1—Proactively blocks and safely eliminates spyware, viruses, Trojans, rootkits, and other malware without slowing down the network; XXAd-Aware Free—Provides only adware detection/removal. 60 IA Tools Report Ad-Aware Type Malware detection, blocking, and removal OS Enterprise 2.1 Client—Windows Vista, XP, Server 2003, 2000 Pro Enterprise 2.1 Server—Windows 2000 Pro, 2000 Server, 2003 Server, XP Enterprise 2.1 Console—Windows Vista, XP, Server 2003, 2000 Pro, Plus, Free—Windows Vista, XP, 2000 Pro Hardware Enterprise 2.1 Client—Pentium P600, OS RAM + 150 MB, 150 MB free disk space Enterprise 2.1 Server—OS RAM+24 MB, 200 MB free disk space Pro, Plus, Free—Pentium 600 MHz, OS RAM+100 MB, 100 MB free disk space License Commercial (freeware version available) NIAP Validated No Common Criteria Developer Lavasoft AB (Sweden) Availability http://www.lavasoft.com/products/ ad_aware.php Section 4 Anti-Malware Tools Lavasoft Anti-Virus Helix Abstract Anti-Virus Helix performs heuristic detection, quarantine, and removal of viruses, worms, Trojans, adware, and rootkits, and real-time detection of cyber threats such as botnets, phishing attempts, and drive-by downloads. Anti-Virus Helix Type Malware detection, blocking, and removal OS Windows 2000, XP, Vista Hardware Pentium 133 MHz, OS RAM+100 MB, 40 MB free disk space License Commercial (freeware version available) NIAP Validated No Common Criteria Developer Lavasoft AB (Sweden) Availability http://www.lavasoft.com/products/ lavasoft_anti-virus_helix.php IA Tools Report 61 Section 4 Anti-Malware Tools Malwarebytes® Anti-Malware 1.37 Abstract Malwarebytes Anti-Malware application is designed to quickly detect, destroy, and prevent malware. By monitoring every process, Anti-Malware can detect and prevent malicious processes from running immediately after they are launched. Anti-Malware is available in both a free and commercial version. The free license allows users to perform on-demand malicious code detection and removal, while the commercial license allows users to take advantage of real-time protection as well as support for scheduled scans. 62 IA Tools Report Anti-Malware 1.37 Type Malware detection and removal OS Windows 2000, XP, Vista Hardware License Commercial (freeware version available) NIAP Validated No Common Criteria Developer Malwarebytes Corporation Availability http://www.malwarebytes.org/mbam.php Section 4 Anti-Malware Tools Microsoft Forefront Client Security Abstract Microsoft’s Forefront Client Security is a corporate-level anti-malware suite that puts an emphasis on managing and controlling a large number of systems. Forefront Client Security provides protection against viruses and spyware while offering central management consoles that integrate with an organization’s existing enterprise security management infrastructure. ForeFront Client Security Type Malware detection and removal OS Windows XP and later Hardware License Commercial NIAP Validated No Common Criteria Developer Microsoft Corporation Availability http://www.microsoft.com/forefront/en/us/ default.aspx IA Tools Report 63 Section 4 Anti-Malware Tools Microsoft Windows Malicious Software Removal Tool Abstract The Windows Malicious Software Removal Tool checks computers running Windows for infections by specific, prevalent malicious software and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. Microsoft releases an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents. The tool is available from Microsoft Update, Windows Update, and the Microsoft Download Center. The version of the tool delivered by Microsoft Update and Windows Update runs in the background and then reports if an infection is found. Customers who wish to run the tool more than once a month need to use the version available from the Web page listed below or to install the version that available from the Download Center. 64 IA Tools Report Windows Malicious Software Removal Tool Type Malware detection and removal OS Windows Vista, XP, 2000, Server 2003 Hardware License Free NIAP Validated No Common Criteria Developer Microsoft Corporation Availability http://www.microsoft.com/security/ malwareremove/default.mspx Section 4 Anti-Malware Tools MicroWorld® Technologies eScan AntiVirus 9.0/10.0 and eScan for Linux 2.0 Abstract eScan AntiVirus is a comprehensive virus solution intended to protect PCs from viruses, worms, Trojans, spyware, adware, keyloggers, rootkits, and other malware. The tool uses signature-based (with hourly updates) and heuristic scanning, and detects, monitors, and warns the user about registry changes and suspicious applications. The tool includes an on-demand scanner with caching for improved performance. The tool can scan files, applications, emails and attachments (SMTP and POP3 can be scanned in real-time), and USB drives. The tool also incorporates a PC firewall for monitoring and logging inbound and outbound network activity. eScan AntiVirus desktop editions are available for Windows and Linux (the latter recognizes over 120,000 viruses and variants). eScan also supports scanning of emails (Microsoft Outlook/Exchange .pst and .pab files, Microsoft Internet Mail .mbx files). Licenses are available for home users, small- and medium-sized businesses, and large corporate- and enterprise-level organizations, for a variety of Windows and Linux-based desktops and servers. eScan AntiVirus and eScan for Linux Type Malware detection OS Windows editions—2000, 2003 Enterprise/ Standard/64-bit, 2008, XP Home/ Professional/64-bit, Vista; IE 5.0; Microsoft Small Business Server/Citrix Server edition/ Proxy Server editions—Windows 95, 98 SE/ ME, NT 4.0, 2000, XP, Vista, 2008; Linux editions—RedHat Enterprise Linux 3/4/5 and RedHat 9, SuSe Linux Enterprise Server 9/10, Debian 3.1, Mandrake 9.2 Hardware Windows editions—Pentium 200 MHz, 128 MB RAM (256 MB recommended), 150 MB free disk space, CD drive, monitor/console with 800x600 resolution; Microsoft Small Business Server/Citrix Server/Proxy Server editions—Pentium or AMD/Citrix 500 MHz, 128 MB RAM, 300 MB free disk space Internet connection, monitor/console with 800x600 resolution; Linux editions—30 MB free disk space License Commercial NIAP Validated No Common Criteria Developer MicroWorld Technologies, Inc. Availability http://www.mwti.com/products/escan/ escan_antivirushomeuser/escanav_ homeuser.asp http://www.mwti.com/products/escan/ escan_linux_desktops/escan_linuxdesktops. asp http://www.mwti.com/products/escan/ escan_antivirus_smbuser/escanav_smb.asp http://www.mwti.com/products/escan/ escan_corporate/escancorporate.asp http://www.mwti.com/products/escan/ escan_enterprise/escanenterprise.asp http://www.mwti.com/products/escan/ escan_enterprise_mssbs/escan_ent_mssbs. asp http://www.mwti.com/products/escan/ escan_citrix/escancitrix.asp http://www.mwti.com/products/escan/ escan_linux_servers/escan_linuxservers. asp http://www.mwti.com/products/escan/ escan_corporate_proxy/escancorporate_ proxy.asp IA Tools Report 65 Section 4 Anti-Malware Tools MIEL e-Security Labs Helios and Helios Lite Abstract Helios is a patent-pending malware detection system designed to detect, remove, and inoculate PCs against rootkits. Helios uses behavior-based detection, and so does not rely on a database of known signatures. This enables the tool to detect unknown malware and malware for which signature-based products do not yet have a signature definitions. MIEL e-Security Labs’ developers claim not to know whether Helios will actually detect specific instances of known malware, but they do assert that malware that exhibits behaviors of modern rootkits will be detected. Helios was not designed, however, to detect browser toolbars, dialers, and other types of malware that the tool’s developers feel are adequately handled by other anti-virus products. Helios was designed to augment products, to detect advanced stealth malware that they cannot. 66 IA Tools Report Helios 1.1a and Helios Lite Type Malware detection and removal, and behavior analysis for malware indicators OS Windows XP SP2 (Helios requires Microsoft .NET Framework 2.0; Helios Lite does not.) Hardware Helios—1 GHz CPU, 512 MB RAM Helios Lite—256 MB RAM License Freeware NIAP Validated no Common Criteria Developer MIEL e-Security Pvt. Ltd. (India) Availability http://helios.miel-labs.com/2006/07/ download-helios.html Section 4 Anti-Malware Tools MooSoft Development The Cleaner 2010 Abstract The Cleaner 2010 detects and removes Trojans, worms, keyloggers, spyware, adware, and other malware. It supports quarantining, whitelisting, advanced heuristics for unknown malware detection, and other features that have become standard in anti-malware products. The Cleaner 2010 Type Hidden malware detection and removal OS Windows® 2000, XP, Vista, Windows® 7 Hardware License Commercial (freeware personal-use version available) NIAP Validated No Common Criteria Developer MooSoft Development, Inc. Availability http://www.moosoft.com/TheCleaner/ TheCleaner IA Tools Report 67 Section 4 Anti-Malware Tools NictaTech Software Digital Patrol Abstract Digital Patrol is an anti-Trojan scanner that detects and eliminates more than 500,000 types of Trojan horses, viruses, worms, backdoors, porno-dialers, spyware, and malicious ActiveX® controls and Java® applets found “in the wild” spreading over the Internet. Digital Patrol deletes malware from the computer on which it is found, and performs heuristic analyses of files to detect new, previously unknown malware. The tool scans the most popular archive types and self-extracting executable files. The tool’s “Rapidly Live Updating from the Internet” feature enables it to keep its anti-virus database and program components up to date. 68 IA Tools Report Digital Patrol Type Malware detection and removal OS Windows XP SP2 and Vista Hardware License Commercial NIAP Validated No Common Criteria Developer NictaTech Software (Russian Federation) Availability http://www.proantivirus.com/en/index.php Section 4 Anti-Malware Tools NETGATE Technologies Spy Emergency 2009 Version 6.0.405 Abstract Spy Emergency combines spyware, Trojan, virus, and spam detection and removal technologies into one solution for combating various malware threats and potentially unwanted software, including spyware, viruses, adware, Trojans, worms, spam, homepage hijackers, backdoors, remote administration tools, ActiveX components, dialers, scumware, keyloggers, data mining software, toolbars, tracking cookies, browser, hijackers/BHOs, and polymorphic malware. The tool also provides low-level anti-rootkit protection and automatic LSP stack repair. The tool scans system memory, registry, data storage, and emails/attachments (including compressed files); it checks the last of these for malware and spam messages. Prevention shields and real-time memory shields ensure that spyware, Trojans, worms, and viruses are automatically blocked before they can execute. A browser shield (IE, Firefox, Opera) prevents drive-by downloads from malicious Web pages. Spy Emergency Type Malware detection, blocking, and removal OS Windows Vista (32-bit and 64-bit), XP (32-bit), 2000 (32-bit) Hardware Desktop—Pentium III 500 MHz, 512 MB RAM, 300 MB free disk space; GatewayWall—Pentium III 800 MHz, 256 MB RAM, 1 GB free disk space, mouse, CD drive, network connection; Exchange—Pentium 500 MHz, 256 MB RAM, 100 MB free disk space, CD drive, network connection; Windows Server— Pentium III 300 MHz, 256 MB RAM, 800 MB free disk space License Commercial NIAP Validated No Common Criteria Developer NETGATE Technologies s.r.o. (Slovakia) Availability http://www.spy-emergency.com/ http://www.netgate.sk/content/view/18/41/ Spy Emergency includes heuristic behavioral analysis technology that runs in a virtualized environment to scans for suspicious and potentially harmful activity, detects, quarantines, and then removes unknown threats not yet in the Spy Emergency database of over 1,600,000 threat signatures. The tool augments its graphical user interface with Shell Extension Scanning to support a command-line interface. IA Tools Report 69 Section 4 Anti-Malware Tools Norman Security Suite, Virus Control, and Endpoint Protection Abstract Norman’s anti-malware products feature the company’s Sandbox technology, which detects and prevents execution of unwanted actions by new and unknown malware, and “DNA Matching” [12] technology, which determines whether detected programs have malicious, suspicious, or legitimate behaviors. If too much of a new program’s “DNA” consists of malicious elements, DNA Matching indicates that the new program is most likely also malicious. For their anti-spyware capability, Norman is a value-added reseller of Ad-Aware. The complete list of anti-virus/anti-spyware products Norman offers includes— XXSecurity Suite—Virus protection recognizes, blocks, and removes viruses, worms, Trojans and other varieties of destructive program code. Spyware protection protects against malicious spyware as keyloggers, hijackers, rootkits and other malicious software jeopardizing user privacy, identity, or simply reducing computer performance. Rootkit protection provides enhanced protection, detecting and removing rootkits. Live Statistics provide an overview of files scanned and number of infections found. Proactive malware protection uses Norman SandBox technology to keep user data free from new unknown viruses, Trojans, worms, and other malicious programs. The Suite protects email, IM, Internet downloads and Web browsing. Background auto-updates are sent to all modules. A protective screensaver scans the computer for viruses and spyware when the screensaver is active. Instant file and folder scanning lets the user quickly and efficiently scan for malicious content by right-clicking a file or folder icon. 70 IA Tools Report XXVirus Control—A collection of anti-virus software applications and utilities that protect workstations, servers and gateways against malicious software, including viruses, worms, and Trojans through on-access and on-demand scanning. The Norman Internet Protection module scans incoming and outgoing email as well as files downloaded from newsgroups. Norman® offers its Virus Control product for the following platforms— • Virus Control for Linux, • FireBreak 4.5 (Virus Control) for Novell Netware, • Virus Control for Lotus Domino, • Virus Control for Exchange (for Microsoft Exchange mail servers), • Virus Control for AMaViS (for Linux-based mail servers that use AMaViS), • Virus Control for MIMEsweeper. XXEndpoint Protection—Endpoint malware protection combines anti-virus and anti-spyware to secure workstations, laptops, servers, and terminal servers. Virus Control recognizes, blocks and removes viruses, worm, Trojans, and other varieties of destructive program code. Antispyware capabilities protect against malicious spyware such as keyloggers, hijackers, rootkits, and other malicious software that jeopardizes user privacy. Rootkit protection includes a rootkit removal function. Norman includes its anti-virus and anti-spyware capabilities in its Email Protection and Network Protection software and appliances. Section 4 Anti-Malware Tools Security Suite, Virus Control, Endpoint Protection Type Malware detection, analysis, and removal OS Security Suite—Windows Vista, XP, 2000 Virus Control—Windows 95, 98, ME, NT, 2000, 2003, Vista Virus Control for Linux—distributions with glibc v2.2+ FireBreak 4.5 (Virus Control) for Novell Netware—NetWare 4.11 and later Virus Control for Lotus Domino—Windows NT 4.0 or later, 2000, 2003 Virus Control for Exchange—Windows 2000, 2003 Virus Control for AMaViS —tested on CentOS 5.0 and Debian Etch Virus Control for MIMEsweeper—Windows 2000 Endpoint Protection—Windows 2000, 2003, XP, Vista, 2008 Hardware Security Suite—450MHz Pentium Virus Control—Pentium License Commercial NIAP Validated No Common Criteria Developer Norman ASA (Norway) Availability http://www.norman.com/home/all_products/anti-virus/ http://www.norman.com/smb/en-us http://www.norman.com/enterprise/en-us IA Tools Report 71 Section 4 Anti-Malware Tools Norton® AntiVirus 2009 and Gaming Edition Abstract AntiVirus 2009 is a “for home use” product that detects and automatically removes viruses, spyware, Trojan horses, worms, bots, and rootkits. The tool includes a technology called Norton Insight, which enables it to scan only for files and processes at risk of malware infection. The tool is also able to scan emails and instant messages. The subscription also includes the separate Norton Recovery Tool that enables the user to reboot from the Recovery Tool disk (CD or DVD) and recover (sanitize) a severely infected PC. AntiVirus Gaming Edition provides comparable anti-malware functionality, but adds the ability for the user to configure the tool to suspend alerts and notifications that would interrupt game play, and real-time monitoring that would reduce PC and network speed. The tool comes with a one-year subscription to signature updates, which are downloaded to the protected PC every five to 15 minutes (or more often in some cases). In addition, the tool’s real-time SONAR technology detects emerging spyware and viruses before signatures are available. Subscribers also receive one year of free technical support. Norton®’s AntiVirus technology is also included in the company’s Internet Security 2009 and Norton 360 Version 3.0 product lines, which also include network, host, and cyber security features to augment their anti-malware capabilities. 72 IA Tools Report AntiVirus 2009 and AntiVirus Gaming Edition Type Malware detection and removal OS Windows Vista, XP; Mac OS X running Windows via Boot Camp® virtualization software Hardware AntiVirus 2009 —300 MHz CPU, 256 MB RAM (512 MB with Recovery Tool), 150 MB free disk space, CD-ROM or DVD drive License Commercial NIAP Validated Common Criteria Developer Symantec Corporation Availability http://www.symantec.com/norton/antivirus http://www.symantec.com/norton/ macintosh/antivirus-dual-protection http://www.symantec.com/norton/ norton-antivirus-gaming-edition Section 4 Anti-Malware Tools NovaShield Anti-Malware Abstract NovaShield Anti-Malware uses behavior-based detection technology to detect the presence of known, emerging, and unknown threats, including zero-day threats, including botnets, Trojans, keyloggers, rootkits, worms, and spyware. NovaShield monitors file, registry, process, and network events on a computer and analyzes them based on a set of security policies. If a program performs actions that violate any of the security policies, an alert will be raised on the suspicious program, which can then be stopped and removed from the computer (quarantined). NovaShield will also clean up any new files or registry keys installed by the malware. Development of NovaShield Anti-Malware was funded through two National Science Foundation grants. NovaShield Anti-Malware Type Suspicious process detection and removal OS Windows XP an Vista Hardware XP—Pentium III 800 MHz, 256 MB RAM, 50 MB free disk space Vista—800 MHz CPU, 1 GB RAM, 50 MB free disk space License Commercial NIAP Validated No Common Criteria Developer NovaShield, Inc. Availability http://www.novashield.com/Anti-Malware. aspx IA Tools Report 73 Section 4 Anti-Malware Tools ParetoLogic AntiVirus PLUS 6.0 Abstract Anti-Virus PLUS finds and removes spyware, viruses, Trojans, rootkits, and other malware. The tool also blocks browser access to malware-related URLs and protects against malware embedded in scripts, thus preventing drive-by downloads. Scanning can be customized to scan certain areas on demand, and to skip certain areas (down to the granularity of individual files). AntiVirus PLUS can detect threats in compressed files. ParetoLogic AntiVirus PLUS Type Malware detection and removal OS Windows 2000 SP4, XP SP2, Vista (all 32-bit); IE 6.0/7.0 Hardware Pentium III, 256 MB RAM (512 recommended), 100 MB free disk space, monitor with 1024x764 resolution, Internet connection License Commercial NIAP Validated No Common Criteria 74 IA Tools Report Developer ParetoLogic Inc. (Canada) Availability http://www.paretologic.com/products/ antivirusplus/index.aspx Section 4 Anti-Malware Tools ParetoLogic Anti-Spyware Abstract ParetoLogic Anti-Spyware provides— XXActive Protection (Real-Time Blocking) that automatically detects a potentially unwanted application attempting to download to a computer, alerting the user to the threat and providing blocking options; XXCustomizable scanning processes that enable the user to choose the depth of the scan, including scanning running processes, registry entries, files, and folders; XXDetection and removal of adware, spyware, pop-up ads, keyloggers, Trojans, hijackers, malware, and other potentially unwanted programs; XXLarge, continually expanding databases of malware definitions; XXAutomatically delivery of feature and definition database updates; XXBackup and Restore feature hat enables the user to restore previously removed items, thus preventing inadvertent permanent removal of benign files; XXCycle Detection that prevents recurring loops wherein an alert message pops up repeatedly; the tool detects potential loops and presents their details so the user can terminate the notifications; XXAutomated scheduled scanning, automatic restoration of browser pages, and automatic blocking and logging. ParetoLogic Anti-Spyware Type Malware detection, blocking, and removal OS Windows 2000 SP4, XP SP2; IE 5.0 Hardware Pentium III, 256 MB RAM (512 recommended), 20 MB free disk space, monitor with 1024x764 resolution, Internet connection License Commercial NIAP Validated No Common Criteria Developer ParetoLogic, Inc. (Canada) Availability http://www.paretologic.com/products/ paretologicas/index.aspx IA Tools Report 75 Section 4 Anti-Malware Tools PCSecurityShield The Shield Deluxe 2009 Abstract The Shield Deluxe uses “Powered by BitDefender” technology to protect systems against viruses, spyware, adware, and rootkits. The tool receives hourly updates to ensure that it always scans based on up-to-date signatures. The Shield Deluxe 2009 Type Malware detection and termination OS Windows XP, Vista, Home Server Hardware XP—800MHz or higher CPU, 256 MB RAM (1 GB recommended), 170 MB free disk space (200 MB recommended) Vista—800MHz or higher CPU, 512 MB RAM (1 GB recommended), 170 MB free disk space (200 MB recommended) Home Server—800MHz or higher CPU, 512 MB RAM (1 GB recommended), 170 MB free disk space (200 MB recommended) License Commercial NIAP Validated No Common Criteria 76 IA Tools Report Developer PCSecurityShield Availability http://www.pcsecurityshield.com/lp/ shield-deluxe-25.aspx Section 4 Anti-Malware Tools PC Tools ThreatFire® 3 4.5.0 Abstract Unlike traditional anti-malware software, ThreatFire 3 detects malicious behavior such as keystroke logging and other behavioral analysis to determine whether the system is infected with malware. This allows ThreatFire 3 to protect against zero-day threats. ThreatFire 3 comes in two versions, Pro and Free; the only differences between them is that the Free license does not include automated updates and telephone support for users, nor does it allow for commercial/business use. ThreatFire 3 Type Malware detection (via behavior analysis for malware indicators) OS Windows XP, Vista, 2003 Hardware 20 MB free disk space License Commercial (freeware version available) NIAP Validated No Common Criteria Developer PC Tools, Ltd. (Ireland) Availability http://www.threatfire.com/ IA Tools Report 77 Section 4 Anti-Malware Tools Prevx® 3.0 + Removal and + Real-time Abstract Prevx performs virus, adware, and rootkit detection and, using the commercial version, removes detected malware. Prevx is designed to supplement existing anti-virus software, increasing the level of protection against malicious code. Both versions perform detection and removal. Prevx with the Real-time capability also provides real-time and zero-day/zero-hour protection (through heuristics) for blocking of both known and unknown malware. The Real-time capability also protects against master boot record rootkits. 78 IA Tools Report Prevx 3.0 + Removal and + Real-time Type Malware detection, termination, and removal OS Windows 98, XP, Vista, 2000, 2003, 2008, Windows 7 Hardware Pentium II, 32 MB RAM, 10 MB free disk space License Commercial (freeware version available that performs detection only) [13] NIAP Validated No Common Criteria Developer PREVX, Ltd. (United Kingdom) Availability http://www.prevx.com Section 4 Anti-Malware Tools Proland Software Protector Plus 2009 for Windows, Exchange Server, and NetWare Server Abstract Protector Plus protects systems against viruses, Trojans, worms, spyware and other potential threats. On Windows, the tool performs real-time scans and continuously monitors the system, preventing malware from entering the during Web browsing, network access, and use of removable media (CD, USB, etc.). The tool also blocks infected emails at the incoming port before they read the mail server inbox. Protector Plus automatically downloads signature updates hourly in the background. Users can also submit suspicious files detected and quarantined by Protector Plus’s heuristic scanning to Proland Software’s virus analysis lab for further investigation; the lab will return a report to the user advising him/her as to whether the file is malicious and should be removed. On NetWare, Protector Plus includes a real-time scanner Netware Loadable Module and also supports manual scans and remediations that can be targeted down to the volume and directory level. The NetWare tool’s virus database is updated weekly. Protector Plus for Exchange scans all incoming email/attachments before they reach the users’ mailboxes, and blocks those that contain malware (viruses, worms, Trojans). The tool can be configured to disinfect, delete, or quarantine the infected mails. The tool can also be configured to send email alerts to the mail message’s sender, intended recipient, the administrator, or a pre-configured list of multiple individuals. Remote management of Protector Plus for Exchange can monitor all activity performed by the tool on the Exchange server, and report details such as addresses of senders of infected mails, intended recipients of infected mails, and properties of the infected attachments. Online monitoring also enables the administrator to check the total number of mails received, the number that were infected, etc.; reporting also supports analysis of trends over time. The tool’s quarantine facility stores infected files for further analysis. Infected files will be moved to the quarantine folder. The quarantined files will be encrypted and they cannot infect the system. These quarantined files can be restored for further scanning or deleted. Protector Plus Console enables central management of multiple systems running Protector Plus. The console can remotely install the software and updates on the managed end systems. Software Protector Plus 2009 Type Malware detection, blocking, and removal OS Windows—Windows Vista, XP, ME, 2000, 98, 95 desktops; Windows 2000, 2003, NT and Netware 4.x-6.x servers; Exchange—Exchange 2000/2003 Server; Console—Windows NT/2000/2003 Server (must be a domain controller) Hardware License Commercial NIAP Validated No Common Criteria Developer Proland Software (India) Availability http://www.pspl.com/products/products.htm IA Tools Report 79 Section 4 Anti-Malware Tools Protea AntiVirus Tools for Lotus Domino 2.09.271 Abstract AntiVirus Tools for Lotus Domino is a toolset that integrates avast!, ClamAV, Quick Heal, and VirusBuster malware scanners (described elsewhere in this section) into Lotus Domino to ensure that mail messages and attachments are scanned as they traverse the Domino environment. The administrator can configure the tool to scan documents in Network File System (NFS) databases. Suspicious and infected mail messages, attached files and Object Linking and Embedding (OLE) objects, and documents (including Rich Text Format [RTF] fields, attached files, OLE objects) are either quarantined or deleted, and users and administrators notified about their status (which is also logged). The components of the toolset include— XXMonitor, for scanning all inbound and outbound email; XXScanner, for scanning all documents in NFS databases; XXUpdater, for automatically updating the AntiVirus databases; XXConfiguration database, for managing the AntiVirus toolkit; XXQuarantine store, for isolated storage of suspicious and infected objects. 80 IA Tools Report AntiVirus Tools for Lotus Domino 2.09.271 Type Malware detection and removal OS Windows 2000, XP, 2003 Hardware Pentium 133, 64 MB RAM (128 MB recommended), 30 MB free disk space License Commercial NIAP Validated No Common Criteria Developer Protea Tools (South Africa) Availability http://www.proteatools.com/products/ antivirus_lotus_notes_domino/ Section 4 Anti-Malware Tools Quick Heal Technologies AntiVirus Plus 2009 Abstract AntiVirus Plus 2009 provides an anti-virus tool that automatically scans, detects, and removes viruses, worms and Trojans from email attachments and Internet downloads. AntiVirus Plus 2009 also includes an anti-spyware tool that blocks spyware before it can install itself on the PC, detects and removes already-installed spyware, and blocks spyware activity. AntiVirus Plus’ anti-malware tool scans the registry, folders, and resident files to detect and remove spyware, adware, rogueware, dialers, riskware, and other potential threats. Finally, the AntiVirus Plus anti-rootkit tool performs proactive deep system scans of running processes, registry, and file system to detect suspicious rootkit-indicative activity hidden on the system, and locate and remove the responsible rootkit. The product also includes a PC firewall. AntiVirus Plus 2009 Type Malware detection and removal OS AntiVirus Plus 2009 —Windows 2000, XP, Server 2003, Vista, Server 2008 Quick Heal for Linux and Quick Heal Mail Protection for Linux —Redhat Linux 8.0+, SuSe Linux 7.2+, Mandrake 8.0+ Quick Heal for NetWare—Novell Netware Server 4.0+ Quick Heal Mail Protection for Windows— Windows 2000, XP, 2003 Quick Heal Exchange Protection— Windows 2000, 2003; Console— Windows 98, 2000, XP, 2003, 2007 Hardware AntiVirus Plus 2009 for— Windows 2000 or XP—300 MHz Pentium, 128 MB RAM Windows 2003 —300 MHz Pentium, 256 MB RAM Windows Vista—1 GHz Pentium, 1 GB RAM Windows Server 2008 —1 GHz Pentium, 512 MB RAM All—200 MB free disk space; DVD or CD-ROM drive Quick Heal for Linux and NetWare—133 MHz Pentium, 64 MB RAM, 40 MB free disk space, DVD or CD-ROM drive Quick Heal Mail Protection for Linux and Windows—300 MHz Pentium, 128 MB RAM, 40 MB free disk space, DVD or CD-ROM drive Quick Heal Exchange Protection, Mail server—300 MHz Pentium, 256MB RAM, 100 MB free disk space Console for server versions—800x600 dots per inch (dpi) with 256 colors Note—Those AntiVirus products with anti-rootkit capability require an additional 256 MB RAM to run. License Commercial NIAP Validated No Quick Heal also provides the AntiVirus Plus capabilities in its— XXQuick Heal for Linux and Novell Netware, XXQuick Heal Mail Protection for Linux and Windows, XXQuick Heal Exchange Protection. Quick Heal’s anti-malware technology is also included in the company’s Total Security 2009 PC security product. In India, the anti-virus product line is packaged somewhat differently, to include Quick Heal AntiVirus Plus 2009 Regular and Standard editions for desktop and server. Common Criteria Developer Quick Heal Technologies (P) Ltd. (India) Availability http://www.quickheal.com/ IA Tools Report 81 Section 4 Anti-Malware Tools Resplendence Software Projects SanityCheck 1.02 Abstract XXHook the system service descriptor table, SanityCheck is an advanced rootkit and malware detection tool for Windows that thoroughly scans the system for threats and irregularities that indicate malware or rootkit behavior. By making use of special deep inventory techniques, this program detects hidden and spoofed processes, hidden threads, hidden drivers, and a large number of hooks and hacks that are typically the work of rootkits and malware. It offers a comprehensible report that gives a detailed explanation of any irregularities found and offers suggestions on how to solve or further investigate any situation. XXHook the entry points of exported kernel routines, SanityCheck makes use of a special Windows feature (a GlobalFlag setting), which allows it to create a deep inventory of drivers, devices, processes, threads, and a lot of other information about your system. By making use of this feature in combination with other techniques, it is able to create a very thorough scan of irregularities on your system. SanityCheck performs checks to detect processes that— XXHide themselves from the Windows task manager and programming interfaces by using seven (unnamed) safe techniques to reveal hidden processes in both user mode and kernel mode; XXAttempt to obfuscate their names, a typical tactic associated with malware; XXAppear as standard Windows processes; XXHave obviously deceptive names, as is typical of malicious processes received as email attachments that try to appear as innocent document types; XXHave no associated product, company, or description resource information. SanityCheck also verifies and validates checksums and digital signatures on processes and kernel modules. SanityCheck performs checks to detect kernel modules that— 82 IA Tools Report XXIssue kernel object callout hooks, XXAttempt to hide. Because there is no such thing as a clear distinction line between malware and legitimate products that use aggressive controversial techniques, such as anti-piracy measures that deter debugging or reverse engineering, or rootkit-like techniques such as hidden processes used by anti-virus and other security software to avoid detection by malware (which, in turn, morphs itself to avoid detection by the security software), SanityCheck does not include “one button” eradication of suspect processes or “fixing” of hooks in the kernel. Instead Sanitycheck leaves the system state unaltered, while providing a comprehensible report with suggestions on how to handle the tool’s findings. SanityCheck also provides an optional expert mode in which the user can display extensive information on drivers, devices, processes, threads, kernel objects, and system routines for further analysis; this is information that can only otherwise be obtained using a kernel debugger. SanityCheck 1.02 Type Malware detection and termination (via behavior analysis for malware indicators) OS Windows 2008 Server, Vista, XP, Server 2003, Server 2000 Hardware License Freeware NIAP Validated No Common Criteria Developer Resplendence Software Projects Sp. (Italy) Availability http://www.resplendence.com/sanity http://www.resplendence.com/downloads Section 4 Anti-Malware Tools Sagyn Solutions SysIntegrity Abstract SysIntegrity protects computer against spyware, adware, and malware by performing real-time analysis of files as they are written to the hard disk. By comparing file signatures to a list of known malware, SysIntegrity is able to detect over 100,000 types of malware. If a malicious file is found, the user is prompted to either quarantine or delete the file. In addition to real-time protection, SysIntegrity includes a manual scanner that can be used to scan individual files or entire directories. This is useful for scanning data contained on other media, such as CDs or flash drives. SysIntegrity Type Malware detection and removal OS Windows XP, Vista Hardware 500 MHz CPU with 256 MB RAM License Commercial (freeware version available, detection only) NIAP Validated No Common Criteria Developer Sagyn Solutions Availability http://www.sysintegrity.net/ IA Tools Report 83 Section 4 Anti-Malware Tools Secure Resolutions Anti-CyberCrime 2009 Abstract Anti-CyberCrime provides on-access and on-demand anti-malware scanning, removal, and quarantine. The tool provides comprehensive reports of its activities and findings. It has been optimized to support downloads of updates over Wi-Fi links. Anti-CyberCrime 2009 Type Malware detection and removal OS Vista, XP, Windows 2000 (client and server), Server 2003 Hardware License Commercial NIAP Validated No Common Criteria 84 IA Tools Report Developer Secure Resolutions, Inc. Availability http://www.secureresolutions.com/ Products/ SecureResolutionsSuiteConsumer/ tabid/115/Default.aspx Section 4 Anti-Malware Tools Security Stronghold Security Suite Abstract Security Suite integrates Security Stronghold’s True Sword anti-spyware and Active Shield anti-virus tools, described in Sections 4.2.3 and 4.2.2, into a single integrated anti-malware system. Security Suite Type Malware installation prevention and spyware detection and removal OS Windows 2000, XP, 2003, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Security Stronghold (Russian Federation) Availability http://www.securitystronghold.com/ security_suite.html IA Tools Report 85 Section 4 Anti-Malware Tools Smart PC Solutions 1-2-3 Spyware Free Abstract A free anti-spyware and anti-virus solution, 1-2-3 Spyware Free detects and removes all kinds of viruses, spyware, Trojans, and harmful components. 1-2-3 Spyware Free downloads all updates automatically on a schedule, providing a completely transparent and unattended operation. Real-time protection notifies the user about any suspicious activities that a malicious program may attempt, and allows you to block hazardous activities to prevent infection. Scheduled system scans and updates maintain security on a continued basis. The Undo option makes it possible to roll back any infected entries that were deleted. 86 IA Tools Report 1-2-3 Spyware Free Type Virus detection and removal OS Windows NT, 2000, XP, 2003, Vista® Hardware License Freeware NIAP Validated No Common Criteria Developer Smart PC Solutions, Inc. Availability http://smartpctools.com/antispyware/ Section 4 Anti-Malware Tools Sourcefire ClamAV 0.95 Abstract ClamAV is an open source command-line (and, in Linux and Free Berkeley Software Distribution [BSD], on-access) anti-malware scanner. As a command line tool, it is implemented as a multi-threaded daemon to be installed on UNIX/Linux-based mail gateways. ClamAV listens on a UNIX (local) socket or Transmission Control Protocol (TCP) socket for inbound email messages and their attachments. Features of ClamAV include— XXAbility to detect over 530,000 viruses, worms, and ClamAV 0.95 Type Virus detection and termination OS GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X Hardware License GPL NIAP Validated No Common Criteria Developer Sourcefire, Inc. Availability http://www.clamav.net/ Trojans, including Microsoft Office macro viruses, mobile malware, and other threats; XXMilter [14] interface for sendmail; XXDatabase updater with support for scripted updates and digital signatures; XXThread-safe virus scanner C library; XXVirus database updates multiple times daily; XXBuilt-in support for— • Compression/archive formats, including Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, compiled HTML help (CHM), BinHex, and SIS; • Almost all email file formats; • Executable files (including portable executables) compressed by a variety of different compression tools and algorithms; • Popular document formats, including Microsoft Office and MacOffice files, HTML, RTF, and portable document format (PDF). IA Tools Report 87 Section 4 Anti-Malware Tools SRN Micro Systems Solo Antivirus Abstract Solo Antivirus detects and removes viruses (including boot sector, partition table, file, and macro viruses), worms, spyware, adware, Trojans, backdoors, and malicious Visual Basic® and JavaScript programs. Solo Antivirus includes the “Solo system integrity checker” that monitors the system registry, startup initialization (.ini) file, and other system files to identify and protect against new malware. 88 IA Tools Report Solo Antivirus Type Malware detection and removal OS Windows XP, Vista, ME, 2000, 98, 95 Hardware License Commercial NIAP Validated No Common Criteria Developer SRN Micro Systems (India) Availability http://www.srnmicro.com/ Section 4 Anti-Malware Tools Sunbelt Software VIPRE® Antivirus + Antispyware, Enterprise, SDK Abstract Using signature matching, heuristic analysis, and behavioral analysis, VIPRE protects against complex known and unknown malware threats, including viruses, adware, spyware, and rootkits. VIPRE’s Active Protection delivers real-time monitoring and protection against known and unknown malware threats by working inside the Windows kernel to watch for malware and stop it before it has a chance to execute. The tool’s protection against email viruses includes direct support for Outlook 2000+, Outlook Express 5.0+, and Windows Mail on Vista, and for any email program that uses POP3 and SMTP (e.g., Thunderbird, IncrediMail, Eudora); SSL supported only in Outlook/ Outlook Express. APIs to the tool can be accessed via a C library or Component Object Model interface. VIPRE Enterprise provides the same anti-malware protection as Antivirus + Antispyware for single user, plus a central policy/configuration/installation management dashboard and integration with Network Access Control devices and SSL virtual private network devices from Cisco, Juniper, F5, etc., enabling VIPRE endpoints to be automatically recognized and their security policies enforced by these security devices. Sunbelt Software also offers the VIPRE SDK to enable original equipment manufacturers (OEMs) and service providers to integrate VIPRE Antivirus + Antispyware into their security gateway packages and appliances. VIPRE Antivirus + Antispyware, Enterprise, SDK Type Malware detection and removal OS Antivirus + Antispyware—Windows Server 2008, Vista, Server 2003, XP, 2000; Enterprise Administrator Console— Server 2008, Vista Business/Ultimate, Server 2003, Small Business Server, XP Professional, 2000 Server/Professional; MDAC 2.6 SP2, IE 6.0, .NET Framework 2.0; Enterprise Agent—Server 2008, Vista, Server 2003, Small Business Server 2003, XP, 2000 Server/Professional; IE 6.0; for email support add one of these—Vista Windows Mail, Outlook 2000+, Outlook Express 5.0+, SMTP+POP3 client Hardware Antivirus + Antispyware—512 MB RAM; Enterprise Administrator Console— Pentium III 400 MHz, 512 MB RAM, 300 MB free disk space, monitor with 1024x768 resolution; Enterprise Agent—512 MB RAM, 150 MB free disk space License Commercial NIAP Validated No Common Criteria Developer Sunbelt Software, Inc. Availability http://www.sunbeltsoftware.com/ Home-Home-Office/VIPRE/ http://www.sunbeltsoftware.com/ Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/ Government/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/ Developer/VIPRE-SDK/ IA Tools Report 89 Section 4 Anti-Malware Tools Symantec® Endpoint Protection and AntiVirus Abstract Symantec offers full range of tools for home and business use, all of which include anti-malware capabilities. The products described here are those that focus on anti-malware protection. All Symantec AntiVirus tools use the company’s AntiVirus Scan Engine to detect viruses, worms, and Trojan horses in all major file types, including mobile code and compressed file formats The tool’s virus definitions and engines are updated automatically via LiveUpdate with no interruption in virus scanning. Symantec also makes its Scan Engine 5.2 available to developers and integrators who wish to incorporate Symantec’s AntiVirus scanning technology into their proprietary applications. Below are descriptions of the capabilities of the individual products in the AntiVirus product line. XXEndpoint Protection 11.0—Anti-malware for laptops, desktops, and servers within larger enterprises. It provides a single software agent that is able detect and remove viruses, worms, Trojans, spyware, adware, bots, zero-day threats, and rootkits. Within the tool, TruScan® Proactive Threat Scan performs heuristic/behavior-based scanning for unknown and zero-day threats, scoring both the good and bad behavior of unknown software to enable more accurate malware detection by reducing the number of false positives. This enables the tool to accurately detect malware without present rules-based configurations. The tool also incorporates VxMS (Veritas® Mapping Service) technology to gain access at the kernel level (below the OS) for detection, analysis, removal, and repair of even very-difficult-to-find/ eradicate rootkits, eliminating the need to reimage rootkit-infected machines. Signature file updates and other updates are centrally stored in a dedicated database and distributed from a Management Server, with all endpoints administered from a single Management Console. 90 IA Tools Report The management console enables the administrator to control user and application access to specific processes, files, and folders, and to perform application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk. The tool also controls which peripherals can be connected to a machine and how the peripherals are used. It locks down endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices. These administrative controls significantly hamper malware from spreading to other endpoints, from PCs, servers, or peripherals; it has the coincidental advantage of helping to prevent data leakage. XXEndpoint Protection Small Business Edition—This tool is intended for small businesses. It provides the same anti-malware capabilities, but simplifies the management and administrative sophistication, with the capabilities and needs of small businesses in mind. XXEndpoint Protection for Windows XP Embedded— This tool is designed specifically for embedded devices running Windows XP Embedded 5.1 and Windows Embedded Point of Sale with limited hard drive or flash memory size, to defend them against worms, Trojan horses, viruses, and other malicious code attacks and infection. Such devices include thin clients, point-of-sale terminals, automated teller machines, and medical devices. To block malware attacks from reaching these devices, the tool also provides an application-layer firewall and intrusion detection and prevention system. The tool is administered by the Symantec Policy Manager’s Java-based console. XXAntiVirus for Caching—Provides scalable virus protection for HTTP and FTP/HTTP traffic served through or stored on caching devices, including Blue Coat ProxySG®, Network Appliance NetCache, Section 4 Anti-Malware Tools and Cisco’s Application and Content Networking System Content Engines. The tool supports version 1.0 of the Internet Content Adaptation Protocol 1.0 for deployment of anti-virus services at the gateway with minimal network latency. XXAntiVirus for Messaging—Scalable virus protection for email traffic passing through various messaging solutions. XXAntiVirus for Network Attached Storage—Scalable virus protection for Network Attached Storage (NAS) devices. Tested and verified by several NAS vendors to operate with their devices. XXMobile AntiVirus for Windows Mobile—Mobile AntiVirus provides on-device, automatic, realtime scanning to protect devices running the Windows Mobile OS, such as Windows PocketPCs and smartphones, against threats downloaded from the Web, sent via email or a Wi-Fi connection, or received via Bluetooth or infrared ports. The tool is able to quarantine viruses for later review, and includes an SMS listener to enable administrators to remotely initiate ondevice actions. Event logging also enables administrators to generate an on-device eXtensible Markup Language (XML) file of event logs more detailed than the on-device activity log. Endpoint Protection 11.0 Type Malware detection and removal OS Client Workstations and Servers— Windows 2000 Server; XP; Server 2003; Server 2008; Vista; Small Business Server; Essential Business Server; Red Hat Enterprise Linux 3.x-5.x; SuSE Linux Enterprise (server/desktop) 9.x-10.x; Novell Open Enterprise Server (OES/ OES2); VMWare® ESX 2.5-3.x; Ubuntu 7.x-8.x; Debian 4.x Management Server—Windows 2000 Server; XP Professional; Server 2003; Server 2008; Small Business Server; Essential Business Server Management Console—Windows 2000 Professional or Server; XP Professional; Server 2003; Vista Hardware Client Workstations and Servers—32- or 64-bit Pentium; 256 MB RAM; 600 MB free disk space Management Server—32- or 64-bit Pentium; 1 GB RAM; 2 GB free disk space (+4 GB for database support) Management Console—32- or 64-bit Pentium; 512 MB RAM; 15 MB free disk space Note—Itanium not supported License Commercial NIAP Validated Common Criteria Symantec has also purchased the Norton AntiVirus tool, covered earlier in this report, which it still markets under the Norton brand. Developer Symantec Corporation Availability http://www.symantec.com/business/ endpoint-protection IA Tools Report 91 Section 4 Anti-Malware Tools Endpoint Protection Small Business Edition AntiVirus for Caching Type Malware detection and removal Type Malware detection and removal OS Client Workstations and Servers— Windows 2000 Professional/Server; XP; XP Embedded; Vista; Server 2003; erver 2008 Symantec Protection Center Management Server—Windows 2000 Server; XP; Server 2003; Server 2008 OS Red Hat Linux Enterprise Server 3/4; Red Hat Linux Advanced Server 3/4; Red Hat Enterprise Linux 5; SuSE Linux Enterprise Server 9/10; Solaris 9/10; Windows 2000 Server, Server 2003, Server 2003 R2 Hardware Linux—Pentium 4 1 GHZ, 1 GB RAM, 500 MB free disk space; Solaris—SPARC, 1 GB RAM, 500 MB free disk space; Windows— Pentium 4 1 GHz, 1 GB RAM, 500 MB free disk space 1 TCP/IP network interface card with static IP address, 100 Mbps Ethernet link (1 Gigabit per second recommended) License Commercial Hardware Client Workstations and Servers—32- or 64-bit 1 GHz Pentium III; 256 MB RAM (1 GB recommended); 700 MB free disk space Symantec Protection Center Management Server—32- or 64-bit 1 GHz Intel Pentium III; 1 GB RAM (2 GB recommended); 4 GB free disk space Note—Itanium® not supported. License Commercial NIAP Validated Common Criteria Developer Symantec Corporation Availability http://www.symantec.com/business/ endpoint-protection-small-business-edition Endpoint Protection for Windows XP Embedded NIAP Validated Common Criteria Developer Symantec Corporation Availability http://www. symantec.com/business/ anti-virus-for-caching AntiVirus for Messaging Type Malware detection and removal OS Same as AntiVirus for Caching Hardware Same as AntiVirus for Caching License Commercial Type Malware detection and removal OS Windows XP Embedded 5.1, Windows Embedded for Point of Service Hardware Pentium 133, 128 MB RAM, 40 MB free disk space Common Criteria Developer Symantec Corporation Commercial Availability http://www.symantec.com/business/ anti-virus-for-messaging License NIAP Validated NIAP Validated Common Criteria Developer Symantec Corporation Availability http://www. symantec.com/business/ endpoint-protection-for-windows-xpembedded Mobile AntiVirus for Windows Mobile Type Malware detection and removal OS Microsoft Windows Mobile 6 Professional or Standard, 5.0 PocketPC or Smartphone Hardware PocketPC, smartphone, or other device that supports Windows Mobile; 2.5 MB memory License Commercial NIAP Validated Common Criteria 92 IA Tools Report Developer Symantec Corporation Availability http://www.symantec.com/business/ mobile-anti-virus-for-windows-mobile Section 4 Anti-Malware Tools TrendMicro AntiVirus + AntiSpyware Abstract An anti-virus/anti-spyware tool that features automatic scans, updates, and outbreak alerts. The tool scans PC and incoming emails for malicious viruses, worms, Trojan horse programs, and spyware, and also provides anti-rootkit protection and proactive intrusion blocking. Trend Micro’s AntiVirus and AntiSpyware technologies are also incorporated into the company’s Worry-Free Business Security, OfficeScan Client-Server Suite, InterScan Messaging Hosted Security, and ScanMail Suite products for small, medium, and large businesses. AntiVirus + AntiSpyware Type Malware detection and removal OS Windows Vista, XP Hardware Vista—Pentium 800 MHz, 512 MB (1 GB recommended) RAM XP—350 MHz Pentium—256 MB (512 MB recommended) RAM All—300 MB free disk space; for console—Extended Graphics Array (XGA) monitor with 1024x768 dpi License Commercial NIAP Validated no Common Criteria Developer TrendMicro, Inc. Availability http://us.trendmicro.com/us/products/ personal/anti-virus-plus-anti-spyware/ index.html IA Tools Report 93 Section 4 Anti-Malware Tools Trojan Remover 6.7.9 Abstract Trojan Remover aids in the removal of malware, including Trojan horses, worms, adware, spyware. Trojan Remover examines all the system files, the Windows Registry, and the programs and files loaded at boot time, as well as services hidden by rootkit techniques. Trojan Remover can be instructed to remove the specific malware-related files and to disable the malware upon request. Trojan Remover 6.7.9 Type Hidden malware detection and removal OS Windows 98, ME, 2000, XP, Vista, Windows 7 Hardware License Commercial NIAP Validated No Common Criteria 94 IA Tools Report Developer Simply Super Software Availability http://www.simplysup.com/ Section 4 Anti-Malware Tools TrustPort Antivirus 2009, USB Edition, U3 Edition Abstract TrustPort Antivirus 2009 uses multiple scanning engines to perform anti-virus and anti-spyware detection and removal. Signature-based scanning with regular automatic virus sample updates combines with heuristic analysis and virtual computer testing that reveal unknown threats. In addition, the tool performs anti-spam filtering to reduce the risk of users inadvertently opening of infected email attachments or being directed to malicious Web sites, detection of viruses on Web sites to which the user connects, and Web site blacklisting to prevent drive-by downloads. Emails and inserted media are automatically scanned, and detected malware is quarantined. The tool also generates a rescue boot disk to ease recovery after a malware infection. The tool comes in PC and Server editions; USB and U3 Editions are also available to scan USB and U3 flash media. TrustPort Antivirus 2009 Type Malware detection, blocking, and removal OS Windows 2000, 2003, 2008 Server, XP, Vista Hardware Pentium 4, 512 MB RAM, 250 MB free disk space; USB and U3 editions require the appropriate USB connections License Commercial NIAP Validated No Common Criteria Developer TrustPort, a.s. (Czech Republic) Availability http://www.trustport.com/index. php?id=593,1118,0,0,1,0 IA Tools Report 95 Section 4 Anti-Malware Tools VirusBuster® Abstract The VirusBuster line of anti-virus products include— XXVirusBuster Professional for clients and VirusBuster for Linux/FreeBSD clients—Resident protection and content filter with pre-defined protection levels from which the user can choose, or which he/she can modify as needed. The resident protection module provides protection for all files on the computer. The content filter protects the computer against all Internet-borne viruses, worms, Trojans, backdoors, scripts, macro viruses and other harmful code by scanning incoming email (POP3, SMTP, IMAP) and data transmitted via HTTP and FTP; XXVirusBuster for Servers—Uses VirusBuster’s heuristic analysis-based scan engine to detect harmful programs, known viruses, and malicious code; XXVirusBuster for Mail Servers—Zero Hour Virus Protection and Extended Spam Protection technologies detect the attacking/spreading wave itself connecting and communicating permanently to a central server. These filters are able to reveal the virus and spam mail attacks minutes after they have been started and block these emails long before the first virus or spam database updates are released. The tool can also block I-Worms in real time. VirusBuster offers a command line-based VirusBuster Scanner product line for use on older OSs. VirusBuster includes its anti-malware technology in its Internet Security Suite cyber security product. VirusBuster also offers the VirusBuster anti-malware software development kit, which enables integrators to include VirusBuster’s anti-malware engine in the systems they develop. 96 IA Tools Report VirusBuster Type Malware detection and removal OS VirusBuster Scanners—Windows 2000, 95, 98, ME, XP, NT4 Workstation; FreeBSD, Linux, OpenBSD, Solaris, AIX VirusBuster Professional—Windows 95, 98, ME, NT4 Workstation, 2000, XP, Vista VirusBuster Personal—Windows 95, 98, ME, 2000, XP, Vista VirusBuster for Linux/FreeBSD — FreeBSD, Linux VirusBuster for Samba Servers— Linux, Solaris VirusBuster for NetWare Servers— Novell NetWare VirusBuster for Windows Servers— Windows NT4 Server, 2000 Server, Server 2008 VirusBuster for Mail Servers (SMTP or Sendmail, Qmail, Linux GroupWise, Courier) —Linux, FreeBSD, OpenBSD, Solaris, AIX VirusBuster for Mail Servers (NetWare GroupWise®) —Novell NetWare GroupWise Hardware License Commercial NIAP Validated No Common Criteria Developer VirusBuster (Hungary) Availability http://www.virusbuster.hu/en/product/ antivirus/index http://www.virusbuster.hu/en/product/ antivirus/oem/sdk Section 4 Anti-Malware Tools Webroot® AntiVirus with AntiSpyware 6.1, AntiSpyware Corporate Edition 3.5 with AntiVirus Abstract Webroot’s AntiVirus combines anti-virus detection based on Sophos’ anti-virus technology with Webroot’s own Spy Sweeper (discussed in Section 4.3.2) to provide comprehensive protection against complex threats including viruses, worms, Trojans, rootkits, spyware, adware, and keyloggers. AntiSpyware Corporate Edition with AntiVirus combines Webroot’s AntiSpyware Corporate Edition, discussed in Section 4.3.1.3, with Webroot’s AntiVirus product, discussed in Section 4.3.1.2. TrustPort Antivirus 2009 Type Malware detection and removal OS AntiVirus with AntiSpyware—Windows Vista, XP; Corporate Edition—Windows Vista, 2000 Professional or Server (SP 4), XP Professional (SP 2), 2003 Standard, Enterprise, R2, or Small Business Server (SP1) Hardware AntiVirus with AntiSpyware—300 MHz CPU, 256 MB RAM, 100 MB free drive space; Corporate Edition—1 GHz CPU, 1 GB RAM, 1 GB free disk space License Commercial NIAP Validated No Common Criteria Developer Webroot Software, Inc. Availability http://www.webroot.com/En_US/ consumer-products-antivirus.html http://www.webroot.com/En_US/ business-antispyware-ce-with-antivirus. html IA Tools Report 97 Section 4 Anti-Malware Tools WenPoint HiddenFinder v1.5.3 Abstract HiddenFinder is an advanced security utility that detects and kills processes and drivers hidden by attack code. Such processes and drivers may be associated with spyware, backdoors, rootkits, or viruses. HiddenFinder explorers the system at the kernel level and displays all running processes and drivers, including those that are hidden. The user can then terminate the detected hidden processes/drivers, which will coincidentally stop the execution of most spyware, viruses, and Trojans. 98 IA Tools Report HiddenFinder v1.5.3 Type Malicious process termination OS Windows 2000 and XP Hardware Pentium II; 128M RAM License Freeware NIAP Validated No Common Criteria Developer WenPoint Corporation Availability http://www.wenpoint.com/download/ download.php Section 4 Anti-Malware Tools Zemana AntiLogger Abstract AntiLogger relies on its own unique technology to detect when malware is running on a user’s PC— without malware signatures. This technology detects when malware runs on the computer, then terminates that malware before it can damage the system or steal data. Zemana’s AntiLogger eliminates threats from keyloggers, SSL banker Trojans, spyware, and other malware, including sophisticated zero-day malware and other viruses, worms, Trojans, spyware executables, and rootkits that elude signature-based tools. AntiLogger Type Malware detection and termination OS Windows XP Hardware License Commercial NIAP Validated No Common Criteria Developer Zemana Ltd. (Turkey) Availability http://www.zemana.com/ AntiloggerOverview.aspx IA Tools Report 99 Section 4 Anti-Malware Tools 4.3.1.2 Anti-Virus Tools The tools described in this section are understood to address viruses, worms, and Trojans delivered to (rather than built into) the targeted system. 100 IA Tools Report Section 4 Anti-Malware Tools AhnLab Mobile Security Abstract AhnLab Mobile Security uses AhnLab’s V3 antivirus engine technology to provide anti-virus protection for WiFi devices. The tool supports manual, real-time, and .sis and .cab file attachment scanning and sanitization. AhnLab Mobile Security Type Malware detection and removal OS Devices—Symbian OS 7.0s, Symbian OS 8.0a, Symbian OS 8.1a; Windows Mobile 2003, 2005; Host—Windows XP, 200, ME, 98 Server Edition running Activesync 3.7 or higher Hardware Devices—Symbian OS 8.1, OS 8.0a, 7.0s; Windows Mobile; Nokia 3230, 6600, 6620, 6670, 6260, 7610 (Symbian OS 8); Nokia 6630, 6680, 6681, 6682 (Symbian OS 7); Samsung Phaeton I (Symbian OS 8.1); Microsoft Pocket PC 2003, 2005 (Win Mobile) License Commercial NIAP Validated No Common Criteria Developer Zemana Ltd. (Turkey) Availability http://global.ahnlab.com/global/prod_ detail.ESD ?parmProd _class= C&parmProd_type =CM&prod_seq=1023 IA Tools Report 101 Section 4 Anti-Malware Tools AnVir Virus Destroyer Abstract AnVir Virus Destroyer supplements existing antivirus and anti-malware tools by providing users with additional capabilities, including— XXFull information about processes, services, Internet connections, drivers, and running DLLs; XXDetailed information for over 70,000 binary executables; XXSecurity analysis of application behavior to aid in the detection of malware; XXMonitors for CPU, memory, disk usage, and battery power. AnVir Virus Destroyer is also included in the AnVir Security Suite and Task Manager Suite products. 102 IA Tools Report AnVir Virus Destroyer Type Virus detection and removal OS Windows 95 and later; Linux; Mac OS X 10.3 and later Hardware License Commercial NIAP Validated No Common Criteria Developer AnVir Software (Russian Federation) Availability http://www.anvir.com/virusdestoyer/ Section 4 Anti-Malware Tools ArcaBit ArcaVir® 2009 Antivirus Protection Abstract ArcaVir comprises an anti-virus engine (which includes a database of different variants of viruses, worms, Trojans, and other malware exploits), signature-based and heuristic scanning (detects and disarms novel threats), and quarantine of detected viruses. The tool supports both an monitoring of network/Internet connections, AntiStealth detection of hidden processes and objects, and scanning of email attachments, CDs, and floppy disks. The tool’s ArcaNix system enables ArcaVir to control the computer’s boot sequence and to scan all drives and Windows NT File System partitions. The tool comes in editions for home use and for Pocket PC, and business editions for Microsoft Windows Server and Exchange Server, and for Lotus Notes, Linux/FreeBSD, and Novell Netware. ArcaBit also offers ArcaVir On-line, which enables users to use a ArcaVir-as-a-Service to scan their PCs and remediate any malware detected. ArcaVir 2009 Antivirus Protection Type Malware detection and removal OS Home edition—Windows XP, Vista (earlier versions of ArcaVir are still available for Windows 2000, NT 4.0, ME, and 98); Windows Server edition— Windows Server 2000, 2003, 2008; Pocket PC edition—Windows CE, Symbian OS Hardware License Commercial NIAP Validated No Common Criteria Developer ArcaBit Sp. z o.o. (Poland) Availability http://www.arcabit.pl/content/ view/142/164/lang,english/ IA Tools Report 103 Section 4 Anti-Malware Tools Ashampoo AntiVirus Abstract Ashampoo AntiVirus provides comprehensive protection against viruses, worms, Trojans, and dialers. The tool scans all critical system areas, memory, emails, and files. It provides a very intuitive user interface, and places a very low overhead load on the system so is transparent to the user. The virus signatures are updated several times a day and the program checks for updates automatically, and can be configured to do so every hour. The tool also supports multiple scan modes, including automatic real-time scanning, manual scans, and scheduled scans. Quarantining moves infected or suspicious files to a locked quarantine area. The tool also provides an integration option whereby the tool can scan files for viruses directly in Windows Explorer. 104 IA Tools Report Ashampoo AntiVirus Type Virus detection and removal OS Windows 2000, XP, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Ashampoo GmbH (Germany) Availability http://www.ashampoo.com/frontend/ products/php/product. php?session_langid=2&idstring=0045 Section 4 Anti-Malware Tools Australian Projects Zondex Guard Abstract Zondex Guard is a highly automated anti-virus utility that enables real-time scanning and continuous monitoring, detection, and remediation of viruses, as well as blocking of unauthorized executables. The tool’s built-in self-management system automatically updates the virus definition files and upgrades the tool’s control engine. Zondex Guard Type Malware detection and removal OS Windows 2000, XP (also runs on 95, 98, and ME, but no technical support is provided for the tool on these OSs) Hardware License Commercial NIAP Validated No Common Criteria Developer Australian Projects Pty Ltd. (Australia) Availability http://www.apro.com.au/products/ zondex-guard.html IA Tools Report 105 Section 4 Anti-Malware Tools Beijing Rising International Software Rising PC Doctor Abstract Rising PC Doctor performs automatic malware analysis and immunization. The tool can detect and remove most Trojans, spyware, and a significant amount of other malware, detecting the malicious programs when they attempt startup and “defusing” them before they can execute their malicious functions. The tool’s Trojan blocking technology prevents computers, including infected computers, from downloading additional viruses and Trojans, thereby preventing their propagation. Rising PC Doctor automatically scans programs loaded at boot time, system drivers, ActiveX controls, and other software that influences the computer’s operation for unknown malware, which the user can choose to have automatically transferred to Beijing Rising’s Automated Malware Analyzer for detailed analysis and reporting back to the user. The tool also performs a vulnerability scan of Windows and its security settings, and of third-party software from many vendors, to detect vulnerabilities that can be exploited malware. Rising PC Doctor can also configure IE to avoid visiting Web pages that have been corrupted by malware or which permanently display adware. The tools can also repair the PC system registry, system settings, and host file. Also provided are additional “expert user” tools for disk cleanup, system startup management, service management, network application management, layered service profile repair, file shredding, and special virus removal. 106 IA Tools Report Rising PC Doctor Type Malware detection and removal OS Windows 2000, XP, 2003, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer Beijing Rising International Software Co., Ltd. (China) Availability http://www.rising-global.com/products/ rising-pc-doctor.html Section 4 Anti-Malware Tools BullGuard® Mobile Antivirus Abstract Protects Pocket PCs and smartphones from viruses, worms, and Trojans that target mobile platforms. The tool scans all incoming traffic (e.g., SMS and multimedia messaging service [MMS] messages, Bluetooth, emails, downloads) for malicious programs. The user can launch a scan of a mobile device at any time. Automatic over-the-air updates ensure your device is protected against the latest threats. BullGuard provides 24/7 support free to customers. BullGuard also includes its Antivirus technology in BullGuard Internet Security 8.5. BullGuard Mobile Antivirus Type Malware detection and removal OS Windows Mobile 5 or later Hardware Symbian S60 v9.x or UIQ v3.X; 4 MB free storage space License Commercial NIAP Validated No Common Criteria Developer BullGuard Ltd. (United Kingdom) Availability http://www.bullguard.com/why/bullguardmobile-antivirus.aspx IA Tools Report 107 Section 4 Anti-Malware Tools CA® Anti-Virus 2009 Abstract CA’s Anti-Virus 2009 protects against viruses, worms, and Trojans that can invade unprotected PCs via email, downloads, instant messages, and Web page accesses, and can erase computer files, damage the hard drive, and destroy information contained in documents, image files, audio files, and other files. The tool performs real-time scanning of files whenever they are opened, closed, or saved, and automatic scans of email upon receipt. The tool is able to scan files archived by a variety of compression techniques and formats. The tool includes both signature-based and heuristic scanning (to detect new threats before virus signature updates are created), and sends all suspect files to a secure quarantine area. Users can configure the tool to exclude certain files from being scanned. CA provides daily, fully automatic updates of the tools and its virus signatures. Anti-Spyware 2009 has been certified by ICSA Labs, West Coast Labs, and Virus Bulletin as providing effective virus protection. Anti-Virus 2009 is also included in the CA Internet Security Suite. 108 IA Tools Report Anti-Virus 2009 Type Malware detection and removal OS Windows 2000, XP, or Vista Hardware 300 MHz CPU (800 MHz for Vista), 256 MB RAM (512 MB for Vista), 35 MB free disk space License GPL NIAP Validated No Common Criteria Developer CA Availability http://shop.ca.com/virus/anti-virus.aspx Section 4 Anti-Malware Tools Deerfield.com VisNetic® MailScan Abstract VisNetic MailScan features comprehensive, flexible anti-virus protection tools to protect the network from email viruses and email content filtering technology designed to reduce unwanted messages. The tool’s scanning features include— VisNetic MailScan Type Virus detection and removal OS Windows 95, 98, ME, NT4, XP, 2000 Server and Professional Hardware 166 Mhz CPU, 64 MB RAM, 50 MB free disk space License Commercial XXReal-time email scanning; NIAP Validated No XXAttachment blocking; Common Criteria XXAutomated, fast virus signature updates; XXAutomatic worm deletion; XXScans HTML emails and attachments for scripts, also termed IE vulnerabilities; XXScans multipart/partial messages for viruses; XXDetects and disinfects viruses traveling via Transport Neutral Encapsulation Format attachments, a standard delivery method used in Microsoft Outlook; XXFeatures the option to specify certain domains as “approved” or “verified safe,” thereby reducing the amount of total scanning required. Developer Deerfield Communications, Inc. Availability http://www.deerfield.com/products/ mailscan/ In addition, MailScan performs the content filtering to prevent spam by blocking email from suspicious or unwanted senders or source addresses. MailScan comes in versions that support SMTP (e.g., Microsoft Exchange, VisNetic MailServer, MDaemon®, FTGate®, NTMail, Merak Mail Server) and MDaemon email servers. IA Tools Report 109 Section 4 Anti-Malware Tools DiamondCS WormGuard Abstract WormGuard provides deep-scanning generic, heuristic detection technology driven by a smart analysis engine that includes intelligent rule-sets that are used to detect and block worms, including worms of which the tool has no prior knowledge. Specifically, the tool determines what the suspect executable actually does and alerts the user if it is potentially harmful. The user can then analyze the output from WormGuard to determine whether the suspect file is safe to open/suspect executable is safe to run. WormGuard can perform detection on all executable files and file types. WormGuard also provides extended universal detection and analysis of macros across all Microsoft Macro formats and of command files. Other objects detected by WormGuard include password stealers, keyloggers, IRC worms, and references to known worm authors. WormGuard employs a non-resident execution hook method to render itself immune to TerminateProcess and SuspendProcess vulnerabilities found in other active security systems. 110 IA Tools Report WormGuard Type Worm detection OS Windows 95, 98, ME, NT, 2000, XP, Server 2003 Hardware License Commercial (freeware versions available) NIAP Validated No Common Criteria Developer DiamondCS (Australia) Availability http://www.diamondcs.com.au/ wormguard/ Section 4 Anti-Malware Tools e-Frontier Virus Killer Internet Security, Virus Killer Zero Abstract e-Frontier’s Virus Killer products scan for known and unknown viruses and variants, and use a variety of disinfection techniques. The tools runs a background monitor that senses whenever a new virus definition file becomes available, and automatically downloads it. There appears to be a gaming edition that does not require installation on the target PC but runs from a USB drive. e-Frontier’s Virus Killer product line includes Virus Killer Internet Security “Hokuto No Ken,” “Ragunarokuonrain,” Limited Edition, and “Tokimekihuantajirateru,” and Virus Killer Zero Internet Security Limited Edition and Special Edition. Each license supports up to three target PCs. e-Frontier Virus Killer Internet Security, Virus Killer Zero Type OS Malware detection and removal All Editions except “Ragunarokuonrain”— Windows 2000 Professional, Vista, XP (all 32-bit) running IE 5.0 (6.0 recommended); for mailbox scanning add—Windows Mail, Outlook Express 4.0, Outlook 98, Netscape Mail 4.7.2, or Lotus Notes. Encrypted email not supported; “Ragunarokuonrain” Edition—Windows 200 Professional, XP, Vista (all 32-bit only); if running Win 2000/XP—DirectX 8.0; if running Vista—DirectX 9.0; All—operating system and application versions must be Japanese. Hardware On Vista—Pentium 1 GHz, 512 MB RAM; on XP/2000—Pentium 500 MHz, 256 MB RAM (512 MB recommended); Both—400 MB free disk space, monitor/console 1024x764 resolution with 24+-bit color depth, broadband Internet connection (e.g., ADSL 1.5 Mbps); Virus Killer Gaming edition—on XP/2000—Pentium III/AMD 650 MHz, 3 dimensional graphics card with 16 MB video RAM; on Vista— Pentium 4 3 GHz/Athlon64 3500, Vista 3 dimensional graphics card with 128 MB video RAM; Both—2 GB free disk space, USB port License Commercial NIAP Validated No Note—The e-Frontier and Virus Killer Web sites are only provided in Japanese. The information here is based on automated translations into English by Google Translate and Yahoo! Babel Fish. The authors of this report apologize for any inadvertent misinformation due to inaccurate translation. Common Criteria Developer e-Frontier Inc. (Japan) Availability http://www.viruskiller.jp/ IA Tools Report 111 Section 4 Anti-Malware Tools FRISK Software International F-PROT® Antivirus v6 Abstract FRISK offers home editions (for Windows and Linux) and business editions (for Windows, Linux, BS, Solaris, IBM eServers, and Exchange mail servers) of F-PROT Antivirus. The tool detects and removes viruses, worms, Trojans, and other malware from files (including archives, Microsoft Office, and ActiveX controls) and emails (Microsoft Outlook supported)—automatically and in real-time. New and unknown threats are detected by the tool’s heuristic’s technology. The tool quarantines infected and suspicious files are quarantined and supports automatic and manual scanning (with user able to configure certain files, folders, and/or extensions for exclusion from scanning). FRISK offers a separate license for F-PROT Antivirus for Windows when used on mail servers. F-PROT for Linux and UNIX workstations scans for nearly 1.4 million known viruses and their variants (the IBM server [Advanced Interactive eXecutive (AIX) and Linux on eServer] versions scan for over 540,000), and in addition to hard drives and network drives (file system directories down to the granularity of individual files), scans CDs and diskettes. The tool on Linux scans for boot sector viruses, macro viruses, and Trojans. FRISK’s Solaris series of products include F-PROT for Solaris on x86 and SPARC workstations, file servers, and mail servers (Sendmail, Postfix, Qmail, other popular Solarisbased mail servers). On all operating systems, the tool includes an optional command line interface for users who prefer it; on Solaris and AIX, the tool also includes a daemon scanner. FRISK also uses its F-PROT Antivirus technology in its AVES managed online email security service. 112 IA Tools Report F-PROT Antivirus Type Malware detection and removal OS Windows 2000 Professional and Server, XP Home and Professional, Server 2003, Vista, Home Server; must run IE 5.0 to enable automatic updates; Mail servers supported on Windows—Microsoft Exchange 2000 or 2003 on Windows 200 Server, Exchange 2003 on Windows 2003 server; SuSE, Red Hat, and Debian Linux; FreeBSD, NetBSD, HomeBSD; Solaris 8/9/10; AIX 5.3; must have Perl 5.8 interpreter installed; Linux/BSD systems must have Dazuko installed in kernel; on IBM eServer, Linux must also have glibc 2.3.2. Hardware Windows versions—20 MB RAM, 80 MB free disk space, monitor/console with 800x600 resolution (1024x768 recommended) and 32-bit color; Linux versions—Pentium or AMD K5, 10 MB of free disk space or IBM zSeries s/390 eServer, 50 MB free disk space; Solaris versions—SPARC or Intel x86 compatible, 50 MB free disk space; AIX versions— IBM pSeries (RS/6000), 75 MB free disk space License Commercial (exception—Linux/BSD workstation/home use versions are Freeware) NIAP Validated No Common Criteria Developer FRISK Software International Availability http://www.f-prot.com/products/ Section 4 Anti-Malware Tools G DATA® AntiVirus 2010 Abstract G DATA AntiVirus runs undetected in the background, using two scanning engines, signatures updated hourly, and self-learning to perform fingerprinting for detection and blocking/removal of viruses, spyware, Trojans, dialers, rootkits, etc. The tool’s OutbreakShield uses behavior blocking, heuristics, and “cloud security” to detect and block known and unknown viruses in infected emails (the tool supports Outlook, Outlook Express, Mozilla, and other POP3/IMAP clients) including attached files and archives. It supports whitelisting by the user to improve tool performance. The tool also supports anti-phishing protection (i.e., blocks connections to known-malicious Web sites). G DATA offers private user, business, and enterprise editions. Enterprise edition includes an AntiVirus ManagementServer for centrally managed installation, scanning, updating, reporting, etc. G DATA AntiVirus Type Malware detection and removal OS Private Use—Windows Vista or XP; Business/Enterprise—Windows 2000 (client only), Server 2008, Vista, 2003, XP at least SP2 Hardware Private Use—Intel 32-bit or 64-bit CPU. 512 MB RAM; Business/Enterprise—all versions except Windows 2000 (32-bit only) run on Intel 32-bit or 64-bit CPU with 256 MB RAM and an Internet connection License Commercial NIAP Validated No Common Criteria Developer G DATA Software AG (Germany) Availability http://www.gdata-software.com/ online-shop/anti-virus-produkte/shop/46private-users/966-g-data-antivirus-2010. html IA Tools Report 113 Section 4 Anti-Malware Tools GFI MailSecurity v.10 Abstract GFI MailSecurity implements multi-engine virus checking using the Norman and BitDefender antivirus engines, and provides the customer with the option of adding the AVG, McAfee, and Kaspersky engines. The toolset checks all inbound and outbound email messages and attachments, with quarantining of potentially dangerous attachment types (e.g., .exe, .vbs) that may contain unexpected/ undesired executables or Trojans. Exchange, SMTP, and Lotus mail are supported. The HTML Sanitizer function scans email and Webmail body parts and .htm/.html attachments for presence of scripting code, which it removes. The tool includes a decompression filter that can decompress and analyze compressed archives attached to emails to detect and block password-protected archives, corrupted archives, recursive archives, and archives that contain too many files or files that are too large (indicating potential presence of malicious executables). 114 IA Tools Report GFI MailSecurity Type Malware detection and removal OS Windows Server 2003, Server 2008, 2000 (Professional, Server, Advanced Server), XP Hardware License Commercial NIAP Validated No Common Criteria Developer GFI Software Ltd. Availability http://www.gfi.com/mailsecurity/ Section 4 Anti-Malware Tools Ikarus Security Software virus.utilities Abstract A comprehensive anti-virus package, Ikarus virus. utilities enables remote scanning of PCs for viruses, worms, Trojans, and other malware. In addition to the virus scanning utilities, which support manual scanning, the package includes Online Guardian Protector, which runs continuously in the background to monitor every read and write transaction, scanning the data (including files compressed using any of 17 different compression formats, including .zip, .arj, and .rar, which it can recursively decompress) for the presence of known and unknown (through heuristics) malware. Searches can be customized, and the tool can be automatically updated, with new signature updates delivered within minutes after virus outbreaks. Moreover, the tool can participate in a Europe-wide sensor network to provide rapid screening and response to detected threats. Ikarus virus.utilities Type Malware detection and removal OS Windows 2000, 2003 Server (limited support), XP, Vista (32-bit/64-bit) Hardware License Commercial NIAP Validated No Common Criteria Developer Ikarus Security Software GmbH (Austria) Availability http://www.ikarus-software.at/products/ virus%20utilities.htm Note—The Ikarus Web site is provided only in German and in Russian translation. The authors of this report apologize for any inadvertent inaccuracies in our translation to English. IA Tools Report 115 Section 4 Anti-Malware Tools ISecSoft Anti-Trojan Elite Abstract Anti-Trojan Elite is a malware remover that includes a real-time malware firewall that monitors the system and cleans malware upon discovery. It also enables the user to view and control processes and TCP/IP network connections. Anti-Trojan Elite recognizes over 35,000 Trojans, worms, and keyloggers. Anti-Trojan Elite Type Trojan detection and removal OS Windows 98, ME, 2000, XP, 2003, Vista Hardware License Commercial NIAP Validated No Common Criteria 116 IA Tools Report Developer ISecSoft Inc. (China) Availability http://www.remove-Trojan.com/index_ate. php Section 4 Anti-Malware Tools Liao Pecong’s USB Drive AntiVirus Abstract USB Drive AntiVirus blocks and remove threats to the system from the USB drive without relying on antivirus signatures, allowing it to protect offline systems from viruses introduced by USB drives. USB Drive AntiVirus will automatically scan any USB drive inserted into the computer, and remove all detected threats. USB Drive AntiVirus also provides anti-data leakage protection, whereby the user can set the USB port status to “read-only” or “readable/writable” on the machine and can disable use of specific USB storage devices to prevent leakage from one USB drive to another. USB Drive AntiVirus Type Hidden malware detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Liao Pecong (China) Availability http://www.usbantivirus.net/default.htm USB Drive AntiVirus can scan and remove threats from pen drives, iPods and iPhones, USB flash cards, USB MP3 players, USB audio players, external hard drives, PocketPCs, mobile phones, other USB mass storage devices IA Tools Report 117 Section 4 Anti-Malware Tools Loaris Trojan Remover 1.1 Abstract Trojan Remover aids in the removal of malware (including Trojans, worms, adware, and spyware) that has not been eliminated by other anti-malware programs. Trojan Remover is designed specifically to disable/remove malware without the user having to manually edit system files or the Windows registry. The program also removes the system modifications performed by some malware—modifications ignored by some other anti-virus scanners. Trojan Remover scans all the files loaded at boot time, performing either a standard scan that requires no user configuration of the scan parameters or a custom scan that enables the user to select specific folders to be scanned. 118 IA Tools Report Trojan Remover 1.1 Type Virus detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Loaris, Inc. (Bulgaria) Availability http://www.loaris.com/trojanremover/ Section 4 Anti-Malware Tools McAfee® VirusScan Abstract VirusScan for PCs and servers proactively stops and removes malicious software and extends coverage against new security risks by blending anti-virus, firewall, and intrusion prevention technologies to cover a broad range of threats. Advanced heuristics and generic detection capabilities find new, unknown viruses, even when hidden in compressed files. McAfee VirusScan looks for exploits known to target Microsoft applications and services, and can identify and block threats that take advantage of JavaScript and VisualBasic coding. The McAfee VirusScan database is updated daily with information from McAfee Avert Labs. VirusScan Type Virus detection and removal OS VirusScan 8.7i for Workstation, VirusScan Plus 2009, VirusScan USB (scanner platform) —Windows 2000, XP, Vista VirusScan 8.7i for Server—Windows 2000 Server, Server 2003, Server 2003 R2, 2008 Server VirusScan for Mac—Mac OS X Tiger ® (10.4.6 or later), Leopard ® (10.5 or later) VirusScan for Windows—Windows 2000, XP, Vista 32-bit Hardware VirusScan 8.7i for Workstation—Intel Pentium or Celeron® 166 MHz; 32 MB RAM; 38 MB free disk space VirusScan 8.7i for Server—Intel Pentium, Celeron, Itanium 166 MHz; 32 MB RAM; 38 MB free disk space VirusScan Plus 2009 —800x600 dpi monitor; 256 MB RAM; 75 MB free disk space; Internet connection VirusScan for Mac—Intel or PowerPC Macintosh; 512 MB RAM; 45 MB free disk space VirusScan USB devices scanned—U3® platform (for Vista, U3 LaunchPad also required); scanner platform—Pentium 300 MHz, 128 MB RAM, U3 USB smart drive, 25 MB free disk space (SanDisk ® preferred) License Commercial NIAP Validated No VirusScan for Mac performs non-intrusive, on-access scanning for viruses, worms, Trojans, and other malicious code, including new and unknown threats that target OS X. As with VirusScan for PCs, VirusScan for Mac is supported by McAfee Avert Labs’ VirusScan database. VirusScan USB detects and removes viruses that can delete files and data from a USB drive. Additionally, this software ensures that the USB drive does not transmit viruses and other threats to each PC that connects with the USB drive. Common Criteria VirusScan Plus 2009 is McAfee’s home user edition, which protects PCs from viruses and spyware (in addition, it includes a firewall and a subscription to McAfee’s SiteAdvisor online safety guide and list of risky Web sites). In addition to its standalone anti-virus products, McAfee includes its virus scanning technology in its other cyber security and external security manager (ESM) products and solutions, such as its WebShield SMTP and Email and Web Security appliances. Developer McAfee Availability http://www.mcafee.com/us/small/products/ virusscan_for_mac/virusscan_for_mac. html http://www.mcafee.com/us/small/products/ virusscan/virusscan_enterprise.html http://home.mcafee.com/store/package. aspx?pkgid=276 IA Tools Report 119 Section 4 Anti-Malware Tools Mischel Internet Security TrojanHunter 5.1 Abstract TrojanHunter is able to clean parasitic Trojans by working inside the infected process to kill all Trojan threads and then unload the loaded Trojan libraries. After this, TrojanHunter can safely clean the Trojan library, while the previously infected process can continue executing as if nothing happened. TrojanHunter 5.1 Type Trojan detection and removal OS Windows 95, 98, ME, NT, 2000, XP and Vista Hardware License Commercial NIAP Validated No Common Criteria 120 IA Tools Report Developer Mischel Internet Security Ltd. (United Kingdom) Availability http://www.misec.net/Trojanhunter/ Section 4 Anti-Malware Tools My Free Antivirus Abstract My Free Antivirus is a unique algorithm of scanning, high speed of detection, daily anti-virus base updates, protection from cyber viruses, Trojans, worms. The Free Antivirus real-time protection module allows you to prevent malware intrusion attempts. My Free Antivirus is undemanding toward computer resources and completely compatible with Microsoft Windows versions, including Windows Vista. The Free Antivirus has an easy-to-use interface and a small-size distributive that is a powerful anti-virus tool. The tool comes in versions for scanning PCs and for scanning U3 flash drives. My Free Antivirus Type Virus detection and removal OS Windows NT, 2000, XP, 2003, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer Smart PC Solutions, Inc. Availability http://smartpctools.com/free_anti-virus/ index1.html http://smartpctools.com/free_anti-virus_ u3/index1.html IA Tools Report 121 Section 4 Anti-Malware Tools New Technology Wave Virus Chaser Abstract Virus Chaser provides protection against executable virus files compressed up to 64 times with ASPack or Ultimate Packer for eXecutables into .zip, .arj, .rar, and .cab compression file formats. The took uses heuristic technology to detect unknown virus variants in system memory, emails/attachments, and HTML Web pages. Virus Chaser signature files are typically updated four to five times per day; during times of peak virus activity, updates may be as numerous as 200 to 400 per day. Virus Chaser is offered in Client, Server, and USB editions. Virus Chaser USB is a USB 2.0 thumb drive (1 GB, 2 GB, or 4 GB) with a minimized version of Virus Chaser installed (that takes up 8 MB of space on the solid state memory chip). All files written to and read from the drive are automatically scanned and, if infected, blocked. Virus Chaser Management Server is also offered for central management, monitoring, and reporting on multiple endpoints running Virus Chaser. Virus Chaser Type Malware detection and removal OS Client—Windows 95/98/ME/2000 Professional/XP/Vista (32-bit); Server— Windows NT/2000 Server/2003; USB —PC must have one of the following installed for Virus Chaser to work— Windows 98/98SE/2000/XP/2003; if used with a Macintosh or Linux system, the device will function as a USB storage drive but Virus Chaser will not function. Management Server—Windows 2000 or later; 1-99 managed endpoints—also need Microsoft SQL Server Desktop; 100-499 management endpoints—also need Microsoft SQL Server 2000 7.0 Hardware Client—Pentium 133 MHz, 16 MB RAM (32 recommended), 8 MB free disk space; Server—Pentium 133 MHz, 16 MB RAM (32 recommended), 8 MB free disk space; Management Server—1-99 managed endpoints—Pentium III 500 MHz, 128 MB RAM; 100-499 managed endpoints— Pentium III 800 MHz, 256 MB RAM License Commercial NIAP Validated No Common Criteria 122 IA Tools Report Developer New Technology Wave Inc. (Korea) Availability http://www.viruschaser.com/enwi/2_01.jsp http://www.viruschaser.com/enwi/2_02.jsp http://www.viruschaser.com/enwi/2_03.jsp ßhttp://www.viruschaser.com/enwi/2_04. jsp Section 4 Anti-Malware Tools PC Tools AntiVirus 6.0.0.19 Abstract PC Tools AntiVirus is an anti-virus scanner with hourly signature updates. PC Tools AntiVirus can be obtained separately, or in combination with PC Tools’ other cyber security products, including SpywareDoctor and Internet Security Suite. AntiVirus 6.0.0.19 Type Virus detection and removal OS Windows Vista, XP, 2000 Hardware License Freeware NIAP Validated No Common Criteria Developer PC Tools Availability http://www.pctools.com/anti-virus/ IA Tools Report 123 Section 4 Anti-Malware Tools Smart PC Solutions Handy Antivirus Abstract This anti-virus solution has a unique algorithm of scanning, high speed of detection as well as daily updates. Handy Antivirus has a real-time protection mode that allows you to prevent malware intrusion attempts. The anti-virus has a user-friendly control, which includes a Handy Antivirus control bar in the upper menu of the browser. By a single click of the mouse, the user can update anti-virus base or check a file on the case of infection. 124 IA Tools Report Handy Antivirus Type Virus detection and removal OS Windows NT, 2000, XP, 2003, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer Smart PC Solutions, Inc. Availability http://smartpctools.com/handy_anti-virus/ Section 4 Anti-Malware Tools VirusBlokAda Vba32 Abstract The Vba32 line of products produced by VirusBlokAda is based on the company’s proprietary anti-virus engine. Vba32 detects and neutralizes computer viruses, mail worms, Trojan programs, and other malware (e.g., backdoors, adware, spyware) in real time and on-demand on PCs running Windows, as well as workstations, file servers, mail servers, and a variety of anti-virus filters for Linux/FreeBSD mail servers. The tool includes a heuristic analyzer that can detect unknown malicious programs and a dynamic code translation processor emulator to handle complex polymorphous viruses, packers, and encryptors. MalwareScope performs the actual malware detection. Program module and anti-virus database updates are done over the Internet using the tool’s “delta-patch” technology. The Vba32 products include integrity control and automatic restoration of damaged modules to improve their reliability. VirusBlokAda Vba32 Type Trojan detection and removal OS Vba32.P—Windows 95, 98, ME, NT, 2000, XP, 2003 Vba32.CL—consoles in DOS, Windows, Linux, FreeBSD Vba32.W—Windows Vba32.NT.S —Windows NT, 2000, 2003 Vba32.9X.N —Windows 95, 98, ME Vba32.LDS—Windows and Linux Vba32.MSE and VBA32.ME2K—Windows Vba32.SM, Vba32.MD, Vba32.EX, Vba32.CP, Vba32.QM, Vba32.PF, Vba32.IC— Linux/UNIX Hardware License Commercial NIAP Validated No Common Criteria Developer VirusBlokAda Ltd. (Belorussia) Availability http://www.anti-virus.by/en/ VirusBlokAda offers anti-virus scanners for PCs, consoles, networked workstations, file servers, and mail servers. IA Tools Report 125 Section 4 Anti-Malware Tools Your-Soft Anti-Virus&Trojan Abstract Anti-Virus&Trojan uses the same Guard Ghost system found in Your-Soft’s Trojan Guarder to supervise all running processes in the memory system, Windows files, and open ports, searching them for viruses, worms, and Trojan horses. If malware appears, even hidden in other programs, Anti-Virus&Trojan displays a warning signal and eliminates the malware, then clears all linked files and relative registered files associated with the removed malware. 126 IA Tools Report Anti-Virus&Trojan Type Virus, worm, and Trojan detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Your-Soft (United Kingdom) Availability http://www.your-soft.com/ Section 4 Anti-Malware Tools Your-Soft Trojan Guarder 6.50 and Trojan Guarder Gold 7.74 Abstract Trojan Guarder is designed to work with a system’s existing anti-malware solution. Its Guard Ghost system supervises all running processes in memory system, Windows files, and open ports to locate and eliminate worms and Trojan horses as they run within the system. Trojan Guarder Gold kills unknown Trojans, spyware, and viruses, and it includes an anti-Trojan firewall function and more robust virus-detection functions than the standard edition. This system, called IE Doctor, can recover any damage caused by JavaScript and ActiveX viruses, and can prevent hackers from attacking the PC’s installed browser. Trojan Guarder Type Virus detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Your-Soft (United Kingdom) Availability http://www.your-soft.com/download.htm IA Tools Report 127 Section 4 Anti-Malware Tools ZoneAlarm® Antivirus 2009 Abstract ZoneAlarm Antivirus 2009 has enhanced detection and removal capabilities to stop viruses before they infect the PC. The product combines anti-virus, with OS-, network-, and application-level firewalls. ZoneAlarm Antivirus 2009 Type Virus detection and removal, plus system, network, and application level firewall functionality OS Vista—2 GHz CPU with 2 GB (32-bit) or 4 GB (64-bit) RAM, 250 MB of free disk space XP—1 GHz 32-bit CPU with 768 MB RAM, 250 MB of free disk space Requires Internet access. Hardware License Commercial NIAP Validated No Common Criteria 128 IA Tools Report Developer ZoneAlarm Labs (owned by Checkpoint) Availability http://www.zonealarmstore.com/products/ zonealarm-anti-virus-2009/ Section 4 Anti-Malware Tools 4.3.1.3 Anti-Spyware Tools The tools described in this section are understood to address only spyware, including, but not limited to, keyloggers, adware, browser helper objects, and tracking cookies. IA Tools Report 129 Section 4 Anti-Malware Tools AdWareAlert Abstract AdWareAlert detects and removes adware, spyware, Trojans, dialers, worms, etc., and scrubs programs on the infected system to ensure that no harmful remnants are left behind. AdWareAlert provides online updates to ensure protection from the latest threats. AdWareAlert Type Spyware detection, blocking, and removal OS Windows 98, ME, XP, 2000, Vista Hardware License Freeware NIAP Validated No Common Criteria 130 IA Tools Report Developer AdWareAlert.com Availability http://adwarealert2009.com/index.php Section 4 Anti-Malware Tools AhnLab SpyZero 2007 Abstract SpyZero uses its proprietary anti-spyware engine to prevent spyware outbreaks and to detect and remove spyware and adware. The tool performs diagnostics such as registry scans and file size checking, and prevents reinstallation of spyware-infected ActiveX programs. The tool also protects against unexpected changes in users’ Web browsers and blocks unwanted pop-up advertisement windows. SpyZero 2007 Type Spyware detection, blocking, and removal OS Windows 98, ME, NT 4.0 Workstation, 200 Professional, XP Hardware Pentium II (Pentium III recommended), 128 MB RAM (256 MB recommended), 100 MB free disk space (300 MB recommended) License Commercial NIAP Validated No Common Criteria Developer Availability AhnLab, Inc (China) http://global.ahnlab.com/global/prod_ detail.ESD?parmProd_class=C&parmProd _type= CM&prod _seq=1023 IA Tools Report 131 Section 4 Anti-Malware Tools CA Anti-Spyware 2009 Abstract CA Anti-Spyware 2009 performs spyware detection and removal to protect against a wide range of spyware, adware, keyloggers, browser hijackers, and similar threats. Real-time protection detects and removes spyware running in memory, and helps prevent spyware from making malicious changes to the Windows registry. Scheduled and on-demand scans enable the user to run a scan at any time, or schedule scans at pre-selected intervals. Scans can be customized, enabling the user to select specific drives, files and folders to scan, and to specify a file exclusion list of files and folders to skip. The scanner produces detailed results indicating the specific threat level of any spyware found, and enabling the user to access the CA Spyware Information Center for more details. CA provides frequent automatic updates of spyware signatures. The tool was certified by West Coast Labs as providing effective spyware protection. AntiSpyware 2009 is also included in the CA Internet Security Suite. 132 IA Tools Report Anti-Spyware 2009 Type Malware detection and removal OS Windows 2000, XP, or Vista Hardware 300 MHz CPU (800 MHz for Vista), 256 MB RAM (512 MB for Vista), 35 MB free disk space License GPL NIAP Validated No Common Criteria Developer CA Availability http://shop.ca.com/spyware/ anti_spyware.aspx Section 4 Anti-Malware Tools Crawler Spyware Terminator Abstract Spyware Terminator scans for and removes known spyware on computers. Spyware Terminator supports customizable on-demand and scheduled scanning with reporting to the user of the system state. The tool removes all detected threats, including removing at system reboot those files that have been locked by the system, and which are therefore not removable by standard methods. It supports quarantine of potentially harmful items without full deletion to allow the user to investigate and determine whether or not those items are actually malicious and need to be deleted; users may send these files to the Spyware Terminator analysis team for deep inspection, with those found to be malicious added to the tool’s threat signature database. Spyware Terminator Type Virus and spyware detection and removal OS Windows XP 32-bit, XP 64-bit, Vista 32-bit and Vista 64-bit Note—Real-time Protection operates on Windows XP 32-bit and Vista 32-bit only. Hardware 10 MB free disk space; monitor/screen with 800x600 pixel resolution or better License Freeware NIAP Validated No Common Criteria Developer Crawler, LLC Availability http://www.spywareterminator.com/ Up to ten Real-time Shields can be installed (32-bit computers only) to intercept and disable threats before they can install themselves. The tool also performs automatic updates from the Crawler, LLC spyware signature database. The product comes bundled with ClamAV, which provides real-time virus detection and removal, and with a host intrusion prevention system to block undefined threats from executing on the system. Restoration capabilities include cooperation with Windows System Restore to return Windows to its pre-infection state, and browser restoration, which returns the sanitized browser to its original default settings. Automatic updating of the tool’s installed signature database is performed in the background, and can also be performed on demand. IA Tools Report 133 Section 4 Anti-Malware Tools Enigma Software Group SpyHunter® v.3 Abstract SpyHunter scans the computer hard drive for files, Windows registry settings, Message Digest 5 (MD5) file signatures, and other indicators of thousands of spyware (including keylogger, identity theft, tracking cookies, rogue anti-spyware, unwanted software, browser hijackers), Trojan, adware, worm, and malware threats. The tool also blocks phishing exploits (e.g., browser hijackers), pop-ups, and malicious Web sites. Enigma also offers its Spyware Helpdesk service to SpyHunter users; if SpyHunter is unable to identify a suspicious object it provides the user with the option to transmit a diagnostic report to the Spyware Helpdesk Support Center, where the report is reviewed, and within 24 hours the user is sent a unique fix to remove the suspicious object and its traces from the user’s system. 134 IA Tools Report SpyHunter Type Spyware detection, prevention, and removal OS Windows Vista, XP, 98, ME, 2000 Hardware License Freeware (Spyware Helpdesk is a commercial service) NIAP Validated No Common Criteria Developer Enigma Software Group Availability http://www.enigmasoftware.com/ spyhunter_more_info.php Section 4 Anti-Malware Tools iS3 STOPzilla® Abstract STOPzilla detects, blocks, and quarantines spyware, adware, rogue programs, keyloggers, malicious BHOs, dialers, Trojans, etc. The tool kills browser hijackers, removes rootkits, and prevents bots from installing. The tool also blocks pop-ups, messenger service ads, phishing exploits, drive-by downloads, and connections to known-malicious Web-sites. STOPzilla is designed to minimize the need for user interaction. Scans can be on-demand or automatic, and automatic updating can also be configured. STOPzilla Type Spyware detection, blocking, and removal OS Windows Vista (32 bit), XP, 2000, ME, 98 Hardware License Freeware (Spyware Helpdesk is a commercial service) NIAP Validated No Common Criteria Developer iS3 Availability http://www.stopzilla.com/products/ stopzilla/home.do IA Tools Report 135 Section 4 Anti-Malware Tools ISecSoft Anti-Keylogger Elite v3.3.3 Abstract Anti-Keylogger Elite is a utility designed to detect keyloggers and give the user the power to disallow or allow the keylogger to function. The tool can prevent known and unknown keyloggers from infiltrating a computer and logging everything the user types on the keyboard and sees on the screen. Anti-Keylogger Elite v3.3.3 Type Keylogger detection and removal OS Windows 2000, XP, 2003 Hardware License Commercial NIAP Validated No Common Criteria 136 IA Tools Report Developer ISecSoft, Inc. (China) Availability http://www.remove-keyloggers. com/ Section 4 Anti-Malware Tools McAfee AntiSpyware Abstract McAfee AntiSpyware catches spyware and other “potentially unwanted programs” (PUP) before they can install themselves, so that this unwanted software cannot spawn other programs or files that install themselves in PC applications or registry entries. Using behavioral-based methods and daily registry-signature updates, McAfee AntiSpyware finds and blocks both known and unknown spyware. The AntiSpyware and PUP database is maintained by McAfee Avert Labs. In addition to its standalone anti-spyware product, McAfee includes its anti-spyware technology in its other cyber security and ESM products and solutions, such as its Web Security appliance. AntiSpyware Type Spyware detection and removal OS Workstation—Windows NT 4, 2000, 2003, XP, Vista Server—Windows NT 4 Server, 2000 Server, Server 2003 Hardware License Commercial NIAP Validated No Common Criteria Developer McAfee Availability http://www.mcafee.com/us/small/products/ anti_spyware/anti_spyware.html IA Tools Report 137 Section 4 Anti-Malware Tools Microsoft Windows Defender Abstract Windows Defender is a spyware detection and removal tool included with Windows Vista; it is also available for free download for use with previous editions of Windows. Windows Defender supports real-time analysis of running software to detect installed spyware while working to prevent spyware from successfully installing in the first place. 138 IA Tools Report Microsoft Windows Defender Type Spyware detection and prevention OS Windows XP and later Hardware License Free NIAP Validated No Common Criteria Developer Microsoft Corporation Availability http://www.microsoft.com/windows/ products/winfamily/defender/default.mspx Section 4 Anti-Malware Tools Neuber Software Anti-Spy.Info Abstract Anti-Spy.Info is intended to complement anti-virus and firewall tools by detecting and removing spyware, Trojans, keyloggers, and adware. Anti-Spy.Info reveals every hidden function of all running tasks or background processes currently active on the computer. The tool also— XXPrevents keyboard and mouse monitoring; XXWarns whether the registry is changed; XXProtects the registry from Trojans that add an autostart key; XXEliminate traces of the user’s Internet activity, such as cookies, cache, history, typed URLs, and temporary files; XXEliminates traces of the user’s work on the computer, such as a list of recent used programs (e.g. Word, ACDSee®, PDF, WinZip®, media player). Anti-Spy.Info Type Spyware detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Neuber Software GmbH (Germany) Availability http://www.anti-spy.info/ IA Tools Report 139 Section 4 Anti-Malware Tools NoAdware 5.0 Abstract NoAdware scans PCs for spyware, adware, dialers, and Web bugs. The user can run manual scans, or schedule scans to run automatically. The tool also enables the user to disable the “Do you want to install?” pop-up window associated with downloads, and instead the tool monitors all attempted downloads of adware/spyware and simply blocks installation of any code that appears on its “block” list. The tools enables the user to configure additional shields for their browsers and system, to prevent detected spyware/adware from executing, to prevent sites that serve spyware/adware from adding their URLs to the IE browser’s “favorites” list, and to request explicit user authorization to add any URL to their IE “favorites” lists. 140 IA Tools Report NoAdware 5.0 Type Spyware detection, blocking, and removal OS Windows Hardware License Freeware NIAP Validated No Common Criteria Developer NoAdware.net Availability http://www.noadware.net/ Section 4 Anti-Malware Tools ParetoLogic XOFTspy® Portable Anti-Spyware, XoftSpySE Anti-Spyware Abstract XOFTspy Portable is designed to be installed and run from U3 USB platforms and SmartDrives. The tool scans both the PC to which the USB drive is connected and the drive itself. Its features are otherwise the same as those of XOFTSpySE Anti-Spyware. XOFTSpySE scans scan the entire PC to detect adware, spyware, pop-up generators, keyloggers, Trojans, hijackers, W32/Spybot, browser hijackers, and other malware, and quarantines any infected files it detects. The user is then able to review and remove the quarantined files. XOFTspy Portable, XosftSpySE Type Spyware detection and removal OS XOSFTspy Portable—Windows 2000 or XP; IE 6.0; XoftSpySE — Windows 98, ME, 2000, XP; IE 6.0 Hardware XOSFTspy Portable—Pentium II, 64 MB RAM; USB device—8 MB free SmartDrive space; XoftSpySE —Pentium II, 64 MB RAM, 10 MB free disk space License Commercial NIAP Validated No Common Criteria Developer ParetoLogic Inc. (Canada) Availability http://www.paretologic.com/ products/xoftspypa/index.aspx http://www.paretologic.com/ products/xoftspyse/index.aspx http://www.xoftspy.net/products. aspx IA Tools Report 141 Section 4 Anti-Malware Tools PC Tools SpywareDoctor 6.0.1.441 Abstract SpywareDoctor detects, removes, and protects PCs from spyware, adware, spyware Trojans, keyloggers, rogue anti-spyware, and other unwanted software, as well as identity theft, hijacking, phishing, and tracking threats, pop-ups, and bad Web sites. It performs malware detection and termination, hidden process detection, and unauthorized hook detection. SpywareDoctor can be obtained separately, or in combination with PC Tools AntiVirus, or in a PC Tools Internet Security Suite that includes all of PC Tools cyber security (SpamMonitor and FirewallPlus) and anti-malware components. 142 IA Tools Report PC Tools SpywareDoctor 6.0.1.441 Type Spyware detection and removal OS Windows Vista 64, XP, 2000 Hardware License Commercial NIAP Validated No Common Criteria Developer PC Tools Availability http://www.pctools.com/spyware-doctor/ Section 4 Anti-Malware Tools Rnsafe Spyware Cleaner 2009 2.03 Abstract Spyware Cleaner scans memory, registry, hard drives, and external storage to find and remove spyware, adware, Trojans, keyloggers, home page hijackers, and other malware threats. Scanning can be configured to scan only certain areas of the computer or to skip specified files/folders. Detected threats are quarantined, and the tool provides a Junk Files Cleaner and registry Cleaner for eliminating the traces of eliminated spyware. The Host Files Editor enables the user to specify (by IP address) ad sites and other sites to be blocked, including sites suspected of originating Web browser hijacking attacks. The tool also provides an Update Manager with an automated “check for updates” feature, and a “submit for analysis” feature that enables the user to send quarantined spyware to Rnsafe or another recipient (identified by email address) for deeper analysis. Spyware Cleaner 2009 2.03 Type Spyware detection and removal OS Windows NT, 2000, XP, 2003, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Rnsafe (China) Availability http://www.rnsafe.com/buy.html IA Tools Report 143 Section 4 Anti-Malware Tools Safer Networking Spybot - Search & Destroy 1.6.2 Abstract Spybot - Search & Destroy (Spybot-S&D) detects, “shreds” (destroys), and removes spyware, adware, browser helper objects, browser hijackers, dialers, keyloggers, Trojans, and other possibly unpopular software, as well as the user’s computer usage tracks, and blocks threatening ActiveX downloads, tracking cookies and browser downloads (IE only). The tool backs up copies of all detected threats for analysis. Automatic scans can be scheduled, and tasks can be automated through a command line interface. Spybot-S&D provides the ability to fix some registry inconsistencies and to generate extended reports. 144 IA Tools Report Spybot - Search & Destroy 1.6.2 Type Spyware detection, destruction, and removal OS Windows 95, 98, ME, NT, 2000, XP, 2003, Vista, 2008, PE; Linux/UNIX (with Wine support) Hardware License Freeware NIAP Validated No Common Criteria Developer Safer Networking Ltd. (Ireland) Availability http://www.safer-networking.org/en/ download/index.html Section 4 Anti-Malware Tools SecureMac® MacScan® 2.6.1 Abstract MacScan detects, quarantines, and removes spyware Apple computers running Mac OS X. The tool recognizes over 8,000 known malicious tracking cookies. Scans can be performed on-demand or scheduled in advance. The tool’s Blacklisted Cookie Scan feature enables the user to remove blacklisted tracking cookies without losing their saved usernames and passwords. MacScan 2.6.1 Type Spyware detection and removal OS Mac OS X Hardware License Commercial NIAP Validated No Common Criteria Developer SecureMac.com, Inc. Availability http://macscan.securemac.com/ IA Tools Report 145 Section 4 Anti-Malware Tools Security Stronghold True Sword Abstract True Sword protects computers against malicious programs that harm those computers and violate user privacy. These programs include spyware, Trojans, adware, trackware, dialers, keyloggers, and other kinds of threats. True Sword scans hard disks, registry, and processes and removes all malicious software found. It also removes malicious BHOs and tracking cookies. The product comes in home/home office and corporate editions. The latter protects 10 to 10,000 networked computers from over 300,000 varieties of spyware, adware, Trojans, trackware, and other privacy-violating malware. 146 IA Tools Report True Sword Type Spyware detection and removal OS Windows 2000, XP, 2003, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Security Stronghold (Russian Federation) Availability http://www.securitystronghold.com/ true_sword.html http://www.securitystronghold.com/ business/true-sword-corporate/ Section 4 Anti-Malware Tools Sunbelt Software CounterSpy®, CounterSpy Enterprise, CounterSpy Gateway SDK Abstract CounterSpy shares the features of Sunbelt’s VIPRE anti-malware tool, but focuses only on detecting spyware; it provides no anti-virus capabilities. CounterSpy uses an extensive spyware signature database, real-time security agents, and ThreatNet “neighborhood watch” for spyware, to protect against many types of spyware, adware, browser hijackers, search hijackers, keyloggers, ghost spammers, spy software, and other hazardous applications and files that violate the user’s privacy. CounterSpy is powered by a hybrid engine that merges spyware detection and remediation with malware protection. FirstScan executes when triggered by a CounterSpy scan to root out deeply embedded malware before Windows loads. When spyware is located, a results page is displayed, allowing the user to see details of every spyware threat found, along with descriptions of the threat, files and settings located on the computer, advice on handling the threat, risk rating associated with the threat, and a recommended course of action, with options to remove, ignore, or quarantine the threat. If quarantined, the threat is deactivated and removed to a safe data store, after which the user can either delete or restore the quarantined file. The tool’s real-time Active Protection agents monitor the computer 24/7, securing certain areas. When specific checkpoints are breached, the activity is immediately analyzed against CounterSpy’s database of known file and setting signatures, allowing unthreatening changes to be made; and alerting the user to any potential spyware installations. In this way, Active Protection intercepts many potential hazards in real-time and helps the user decide what software should be allowed access to his/her system. As for browser support, CounterSpy’s Active Protection currently only monitors browser-specific changes in IE. CounterSpy Enterprise provides the same antispyware features as CounterSpy, but adds centralized management via the same dashboard found in VIPRE Enterprise (described in Section 4.3.1.1). Sunbelt Software also offers the CounterSpy Gateway SDK to enable OEMs and service providers to integrate CounterSpy into their security gateway packages and appliances. CounterSpy, CounterSpy Enterprise, CounterSpy Gateway SDK Type Spyware detection, blocking, and removal OS Windows 2000, Server 2003, Server 2008, XP, Vista Hardware IBM-compatible 400 MHz CPU, 512 MB RAM, 150 MB free disk space, 2x CD reader, Internet access (56 Kbps minimum) For console requirements, see VIPRE Enterprise (Section 4.3.1.1) License Commercial NIAP Validated No Common Criteria Developer Sunbelt Software, Inc. Availability http://www.sunbeltsoftware.com/ Home-Home-Office/Anti-Spyware/ http://www.sunbeltsoftware.com/ Business/CounterSpy-Enterprise/ http://www.sunbeltsoftware.com/ Government/CounterSpy-Enterprise/ http://www.sunbeltsoftware.com/ Developer/CounterSpy-Gateway-SDK/ IA Tools Report 147 Section 4 Anti-Malware Tools SuperAntiSpyware® Professional Edition Abstract SuperAntiSpyware detects, quarantines, and removes spyware, adware, malware, Trojans, dialers, worms, keyloggers, hijackers, parasites, rootkits, rogue security products, and other threats. Detection is based on both recognition of code patterns and analysis of threat characteristics. The tool’s Process Interrogation Technology enables detection of threats hiding anywhere on the system, including threats that use rootkits or kernel drivers to avoid detection. The tool blocks threats in real-time to prevent installation or re-installation of potentially harmful software. The tool automatically scans more than 50 critical areas of the PC when it starts up and shuts down to eliminate threats before they can infiltrate and infect the system. Scans can be manual, or scheduled daily or weekly, and can be “quick,” “complete,” or “custom.” The tool provides the user the ability to easily repair broken Internet connections and desktops and edit registry entries. 148 IA Tools Report SuperAntiSpyware Professional Edition Type Spyware detection, blocking, and removal OS Windows 98, 98SE, ME, 2000, XP, Vista or Windows 2003 Hardware 400 MHz CPU, 256 MB RAM License Commercial/Freeware (offered free for personal/home use; scheduling and daily signature updates only available with professional edition) NIAP Validated No Common Criteria Developer SUPERAntiSpyware.com Availability http://www.superantispyware.com/ Section 4 Anti-Malware Tools SystemSoftLab Spyware Process Detector Abstract Spyware Process Detector is an anti-spyware tool that will detect all processes running on the computer and display their threat rating based on the intelligent analysis of all hidden properties. Another specialty of the program is its ability to detect a process that contains and executes alien code of another process. Users will at a glance see the detailed information about any selected process and detect all hidden threats, including spyware, malware, keyloggers, and Trojans. Seventeen methods of process detection are available. Spyware Process Detector Type Spyware detection and removal OS Windows 2000, XP, 2003, Vista Hardware Pentium (Pentium II 500 MHz recommended) License Commercial NIAP Validated No Common Criteria Developer SystemSoftLab (Russian Federation) Availability http://www.systemsoftlab.com/spydetector. html Unlike standard Windows Task Manager, Spyware Process Detector will detect even those processes and tasks that are transparent to OS. The security rating is color-coded so that users can see the most dangerous processes at once. Red stands for the highest rating of danger, and green for the lowest one; any color between red and green stands for varying levels of security threat. The program shows other details about each process, such as process ID, parent ID, security status, .exe filename, file path, description, etc. Startup Manager shows details information about processes that run on Windows startup. Once there is a process marked out as red or yellow, users have to choose whether to delete it or mark as safe. The current list of processes can be exported to the Excel format for further analysis. The program detects new (undetectable by typical anti-virus scanners) spyware, Trojans, and viruses. IA Tools Report 149 Section 4 Anti-Malware Tools TrendMicro Transaction Guard Abstract This free tool, intended for use when performing Internet banking, shopping, and similarly sensitive online transactions that involve transmission of personal and personally identifiable information, consists of— XXSpyware Monitor—Monitors for spyware and notifies the user of any intrusions; XXPassword ClipBoard—An on-screen keyboard for securely entering user names and passwords to thwart keyloggers. 150 IA Tools Report Transaction Guard Type Spyware detection and avoidance OS Windows 2000, XP, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer TrendMicro Availability http://www.trendsecure.com/portal/en-US/ tools/security_tools/transaction_guard Section 4 Anti-Malware Tools Usec.at Nemesis Antispyware Abstract Nemesis protects PCs against a wide range of spyware threats via routine and advanced registry scans and repairs. Nemesis provides the following capabilities— XXScans for spyware, adware, dialer attacks, and hijackers; XXProvides optional quarantine for later threat analysis; XXProvides registry backup for later investigation; XXPerforms full-service scans whereby novice users can perform a one-click scan to find and eliminate all known infections, while advanced users can use granular control of individual scans and deletions. XXScans memory, registry (including deep registry scanning), Windows startup regions, BHOs, file associations, Ini files, IE settings; XXProvides protection for IE settings and hosts file; XXAutomatically blocks known bad servers in hosts file; XXProvides Winsock LSP fix for malware such as Webhancer or New.net; XXIncludes a hosts file editor; XXEnables secure file deletion; XXIncludes auto-update functionality; XXProvides an interface for sending detected spyware threats to an expert for thorough analysis; XXIncludes reporting options, including “send,” “mail,” and “save” handling of reports; XXEnables configuration of report names for further processing; XXPoint-and-click graphical user interface (GUI) for novice users. Nemesis Antispyware Type Spyware detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Usec.at (Austria) Availability http://usec.at/downloads/Nemesis_ installer.exe IA Tools Report 151 Section 4 Anti-Malware Tools Webroot Software AntiSpyware Corporate Edition 3.5 and Spy Sweeper® 6.1 Abstract Webroot AntiSpyware Corporate Edition is a centrally managed, scalable enterprise solution that uses Webroot’s Spy Sweeper technology to protect against all types of malicious spyware, adware, and keyloggers. The tool comprehensively detects and removes existing spyware, and blocks new threats before they infect PCs. Spy Sweeper provides detection and removal capabilities, even for difficult-to-eliminate spyware. Spy Sweeper’s Smart Shields block sophisticated spyware threats in real-time, before they can infect a PC. Spy Sweeper also discovers and destroys rootkits. The user can configure the tool to perform a quick, full, or customized scan. Gamer Mode enables users to temporarily defer scheduled activities, alerts, and updates when they are playing online games, while continuing to run the tool’s shield technology in the background. Webroot’s VersionGuard automatically downloads and installs updates to Spy Sweeper as soon as they are released. 152 IA Tools Report Webroot AntiSpyware Type Spyware detection and removal OS AntiSpyware—Windows Vista, 2000 Professional or Server (SP 4), XP Professional (SP 2), 2003 Standard, Enterprise, R2, or Small Business Server (SP1); Spy Sweeper—Windows Vista, XP Hardware AntiSpyware—1 GHz CPU, 1 GB RAM, 1 GB free disk space; Spy Sweeper—300 MHz CPU, 256 MB RAM, 100 MB free drive space License Commercial NIAP Validated No Common Criteria Developer Webroot Software, Inc. Availability http://www.webroot.com/En_US/ business-antispyware-ce.html http://www.webroot.com/En_US/ consumer-products-spysweeper.html Section 4 Anti-Malware Tools Your-Soft Anti-Virus&Spyware Abstract Anti-Virus&Spyware detects and removes spyware, adware, and tracking files (such as tracking cookies and Web browser plug-ins). Anti-Virus&Spyware Type Spyware detection and removal OS Windows Hardware License Commercial NIAP Validated No Common Criteria Developer Your-Soft (United Kingdom) Availability http://www.your-soft.com/ IA Tools Report 153 Section 4 Anti-Malware Tools 4.3.1.4 Anti-Rootkit Tools The tools described in this section are understood to address rootkits. 154 IA Tools Report Section 4 Anti-Malware Tools Andres Tarasco’s RKDetector v2.0 Abstract RKdetector is advertised as a “security analyzer, rootkit removal, and runtime forensic analysis” tool. It comprises two modules— RKDetector v2.0 Type Rootkit detection OS Windows Hardware XXFILESYSTEM Module, which performs detection and secure deletion of rootkits and data recovery subsequent to deletion; XXIAT Analysis Module, which performs analysis and “fixing” of the system IAT, plus scanning of the associated database. License Freeware NIAP Validated No Common Criteria Developer Andres Tarasco (Spain) Availability http://www.rkdetector.com/ For support, the user is directed to visit a Spanish-language security tools blog/portal at http://www.shellsec.net/. IA Tools Report 155 Section 4 Anti-Malware Tools Christian Hornung’s OS X Rootkit Hunter 0.2 Abstract OS X Rootkit Hunter is scanning tool that detects backdoors, rootkits, and local exploits on Macintosh computers running OS X by running such tests as MD5 hash comparisons and scanning for default files used by rootkits, inappropriate file permissions assigned to binary files, suspect strings in Linux Kernel Module (LKM) modules, hidden files, and scans within plaintext and binary files. According to its developer, OS X Rootkit Hunter is adapted from Michael Boelen’s UNIX/Linux-based Rootkit Hunter, which is described elsewhere in this Tools Report. Please refer to that tool’s abstract for a more complete description of Rootkit Hunter’s capabilities. 156 IA Tools Report OS X Rootkit Hunter 0.2 Type Rootkit detection OS Macintosh OS X 10.4 or later Hardware PowerPC (not yet tested on Intel-based Macintoshes) License Freeware NIAP Validated No Common Criteria Developer Christian Hornung (Germany) Availability http://www.christian-hornung.de/ Section 4 Anti-Malware Tools DiabloNova’s Rootkit Unhooker (RkU) Abstract Rootkit Unhooker can detect kernel hooks, hidden processes, hidden drivers, hidden files, and code hooks. If the tool finds an offending or suspect process, the user can terminate the detected process normally, force it to close, and/or erase the process’ executable file. The user can even force a “blue screen of death” if the process cannot be killed by less aggressive means. The tool’s Virtual Machine Detector uses the time elapsed between two low-level CPU instructions to determine whether the OS is running directly on the hardware or in a virtual machine. This enables it to detect rootkits that wrap the victim OS in a virtual machine. Before running, Rootkit Unhooker conducts an integrity self-test to ensure that it is not itself being subverted by a rootkit. Rootkit Unhooker (RkU) v3.8.342.554 Type Rootkit detection OS Windows 2000, XP, 2003, Vista Hardware x86 License Freeware NIAP Validated No Common Criteria Developer DiabloNova (Russian Federation) Availability http://www.woodmann.com/collaborative/ tools/index.php/Rootkit_Unhooker Note—This is one of many sites from which RkU can be downloaded. Note—The Rootkit Unhooker project was discontinued when Microsoft purchased it in November 2007. However, as of October 2008, the Russian developer DiabloNova (also known as Alpha & Omega) claimed to still support the product, which was last updated September 2008. IA Tools Report 157 Section 4 Anti-Malware Tools F-Secure BlackLight Rootkit Eliminator Abstract BlackLight Rootkit Eliminator detects hidden files, folders, and processes that are hidden from the user and other programs, including security tools. BlackLight also provides the user the option of removing the discovered hidden objects, which may include malware; it does this by renaming them so they can be detected and deleted. The main purpose of BlackLight is to find and eliminate active rootkits that are not detectable by standard anti-malware software, and to remove malware that uses rootkits. BlackLight Rootkit Eliminator was developed for use by F-Secure’s own Response Lab. F-Secure also makes the tool available for free download, but provides no product support to those who download it. 158 IA Tools Report BlackLight Rootkit Eliminator Type Rootkit detection and removal OS Windows 2000, XP, 2003 Server, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer F-Secure Corporation (Finland) Availability http://www.f-secure.com/en_EMEA/ security/security-lab/tools-and-services/ blacklight/ Section 4 Anti-Malware Tools GMER v1.0.15.14972 Abstract GMER is an application that detects and removes rootkits by scanning for hidden processes, threads, modules, services, files, alternate data streams, registry keys, and for drivers hooking system service descriptor table, interrupt descriptor table, and input/ output request packet calls, as well as inline hooks. GMER makes it possible to monitor a variety of system functions, including process creations, driver loads, library loads, file functions, registry entries, and TCP/IP connections. GMER v1.0.15.14972 Type Rootkit detection and removal OS Windows NT, 2000, XP, Vista Hardware License Freeware NIAP Validated No Common Criteria Developer Not identified (Internet domain registered by “Domain Discreet” in Portugal) Availability http://www.gmer.net/ IA Tools Report 159 Section 4 Anti-Malware Tools iDefense HookExplorer Abstract Detour-style hooks are often indicative of malicious code attempting to co-opt OS processes. HookExplorer scans all loaded DLLs associated with a process, then scans their import tables for hijacked function pointers in the import address table. The first instruction for each function pointer is then disassembled and examined to try to detect standard detour-style hooks that may be present. The tool can optionally also scan every function in the image export table for detour-style hooks, one of the few scans possible for dynamically-loaded DLLs. 160 IA Tools Report iDefense HookExplorer Type Rootkit detection (unauthorized hook detector) OS Windows with VisualBasic 6 runtime libraries and Microsoft Common Controls Object Linking and Embedding Control eXtension Hardware License GPL NIAP Validated No Common Criteria Developer iDefense Labs (owned by VeriSign) Availability http://labs.idefense.com/files/labs/ releases/previews/HookExplorer/ Section 4 Anti-Malware Tools MANDIANT® Memoryze Abstract MANDIANT Memoryze is free memory forensic software that helps incident responders find malicious activity in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis. In addition to rootkit and hook detection, Memoryze can also be used for reverse engineering, malware analysis and incident response, and traditional computer forensics. MANDIANT Memoryze Type Rootkit detection OS Windows 2000, XP, 2003, Vista (beta support) Hardware License Freeware NIAP Validated No Common Criteria Developer MANDIANT Availability http://www.mandiant.com/software/d/ mmdld.htm IA Tools Report 161 Section 4 Anti-Malware Tools McAfee Rootkit Detective Beta Abstract McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system. This program is not dependent on any signatures and can proactively detect most of the existing and upcoming rootkits and allow the user to clean them. McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to applications or an OS. 162 IA Tools Report McAfee Rootkit Detective Beta Type Rootkit detection and removal OS Windows XP, 2000, 2003 Server Hardware License Freeware NIAP Validated No Common Criteria Developer McAfee Avert Labs Availability http://vil.nai.com/vil/stinger/rkstinger.aspx Section 4 Anti-Malware Tools Michael Boelen’s Rootkit Hunter 1.3.4 Abstract Rootkit Hunter is scanning tool that detects rootkits, backdoors, and their local exploits by running such tests as— Rootkit Hunter 1.3.4 Type Rootkit detection OS AIX (4.1.5 and 4.3.3), ALT Linux, Aurora Linux, CentOS (3.1 and 4.0), Conectiva Linux 6.0, Debian 3.x, FreeBSD (4.3-4.4, 4.7-4.10, 5.0-5.2.1 and 5.3), Fedora® Core (1-3), Gentoo® (1.4, 2004.0, 2004.1), Macintosh OS X (10.3.4-10.3.8), Mandrake® (8.1-8.2, 9.0-9.2, 10.0-10.1), OpenBSD (3.4-3.5), Red Hat Linux (7.0-7.3, 8, and 9), Red Hat Enterprise Linux (2.1 and 3.0), Slackware (9.0-9.1 and 10.0-10.1), SME 6.0, Sun Solaris, SuSE (7.3, 8.0-8.2, and 9.0-9.2), Ubuntu, Yellow Dog Linux (3.0-3.01), CLFS, DaNix, PCLinuxOS, VectorLinux SOHO (3.2 and 4.0), CPUBuilders Linux, Virtuozzo (VPS). XXMD5 hash comparisons, XXScans for default files used by rootkits, XXScans for inappropriate file permissions assigned to binary files, XXScans for suspect strings in LKM modules, XXScans for hidden files, XXString scans of plaintext and binary files within directories, XXAdditional OS-specific scans and comparisons, XXDetection of port listeners on static ports. Notes—NetBSD is not supported. The system must also run Bourne Again Shell. Hardware Note—Not tested on Intel-based Macintosh License GPL NIAP Validated No Common Criteria Developer Michael Boelen (The Netherlands) Availability http://www.rootkit.nl/projects/rootkit_ hunter.html IA Tools Report 163 Section 4 Anti-Malware Tools Microsoft Sysinternals RootkitRevealer v1.71 Abstract RootkitRevealer v1.71 RootkitRevealer is an advanced rootkit detection utility runs on Windows (NT 4 and higher). Its output lists registry and file system API discrepancies that may indicate the presence of a user-mode or kernelmode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish, and HackerDefender (note—RootkitRevealer is not intended to detect rootkits like Fu that do not attempt to hide their files or registry keys). Type Rootkit detection OS Windows Server 2003, XP RootkitRevealer executes its scans from a randomly named copy of itself that runs as a Windows service. Command-line options can be used to execute an automatic scan with results logged to a file. RootkitRevealer requires that the account from which its run has assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks (on Windows XP and higher) privileges. The Administrators group is assigned these privileges by default. In order to minimize false positives, run RootkitRevealer on an idle system. Microsoft also offers an online version of RootkitRevealer, which can be run remotely from their Sysinternals site. 164 IA Tools Report Hardware License Freeware NIAP Validated No Common Criteria Developer Microsoft Sysinternals Availability http://technet.microsoft.com/en-us/ sysinternals/bb897445.aspx http://live.sysinternals.com/RootkitRevealer. exe Section 4 Anti-Malware Tools Panda Security Anti-Rootkit v1.07 Abstract Panda Anti-Rootkit is a program that uses latest generation technology to detect and remove rootkits. Panda Anti-Rootkit sifts through the files and registry items on a computer, looking for evidence of rootkit activity, and reports its findings in significant detail. It distinguishes rootkits that it recognizes from those it does not, and eliminates both. The tool does not need to be installed—just downloaded and run. It provides an option for an in-depth scan that requires the computer to be rebooted so the tool can detect rootkit activity during the boot process. The scan itself is fast, and checks processes, drivers, the registry, the file system, and any Alternate Data Streams it can detect. Output can be organized into a readable, detailed Advanced Report that specifies precisely what has been found by the tool and deemed suspicious; the report also indicates the relationships between found items. Panda Anti-Rootkit v1.07 Type Rootkit detection and removal Behavior analysis for malware indicators OS Clients—Windows 2000, XP Servers—Panda Tech Support provides scans-as-a-service for systems running Windows 2003 and 2000 Hardware License Freeware NIAP Validated No Common Criteria Developer Panda Security, S.L. (Spain) Availability http://www.pandasecurity.com/homeusers/ downloads/docs/product/help/rkc/en/ rkc_en.htm http://research.pandasecurity.com/archive/ New-Panda-Anti_2D00_Rootkit-_2D00_Version-1.07.aspx http://research.pandasecurity.com/blogs/ images/AntiRootkit.zip Panda Anti-Rootkit distinguishes between unknown rootkits, which it detects solely by their behavior, and known rootkits, which it also matches to known signatures. Rather than removing only known rootkits, to avoid the possibility of damaging the Microsoft Windows installation, Panda Anti-Rootkit deletes all of the suspect “unknown” files unless they have legitimate digital signatures from Microsoft that indicate that they are “pure” and unmodified, and thus unlikely to be the source of rootkit behavior; the tool developers consider removing non-Microsoft files to be sufficient. Any file that has been modified, thereby invalidating the signature, is considered a danger that should be removed. Panda also offers the option of sending any unknown files to Panda Labs for further analysis before removing them. After performing an in-depth scan and removing the detected active rootkits, and their associated hidden files and registry keys, Panda Anti-Rootkit does leave a large number of un-hidden registry keys of rootkits with known signatures. IA Tools Report 165 Section 4 Anti-Malware Tools Pangeia Informatica chkrootkit Abstract chkrootkit is a tool that checks for signs of a rootkit on UNIX-based systems (including Linux, BSD, Solaris and Mac OS X). It contains the following components— chkrootkit Type Rootkit detection and removal OS Linux 2.0.x-2.6.x, FreeBSD 2.2.x-5.x, OpenBSD 2.x-4.x., NetBSD 1.6.x, Solaris 2.5.1-2.6, 8.0-9.0, HP-UX 11, Tru64, BSDI, Mac OS X XXchkrootkit—Shell script that checks system binaries for indications of rootkit modification; XXifpromisc.c—Checks whether the interface is in promiscuous mode; XXchklastlog.c—Checks for deletions from the UNIX lastlog file; XXchkwtmp.c—Checks for deletions from the UNIX / var/log/wtmp (login/logout tracking) file. XXcheck_wtmpx.c—Checks for deletions from the Solaris /var/log/wtmp (login/logout tracking) file; XXchkproc.c and chkdirs.c—Check for signs of LKM Trojans; XXstrings.c—Replaces strings; XXchkutmp.c—Checks for deletions from the UNIX / var/run/utmp (login/logout tracking) file. 166 IA Tools Report Hardware License Freeware NIAP Validated no Common Criteria Developer Pangeia Informatica LTDA (Brazil) Availability http://www.chkrootkit.org Section 4 Anti-Malware Tools Sophos® Anti-Rootkit Abstract Sophos Anti-Rootkit scans, detects, and removes any rootkit that is hidden on a computer. The tool scans running processes, windows registry, and local hard drives to identify known rootkits and to select, by default, files containing the rootkit component of malware for removal without compromising OS integrity. This enables users to remove unidentified hidden files, but does not allow removal of essential system files hidden by an identified rootkit. After the system has been scanned, the user is prompted through the steps needed to remove every detected rootkit. Anti-Rootkit Type Rootkit detection and removal OS Windows NT 4.0, 2000, XP, Server 2003 Hardware 128 MB RAM License Freeware NIAP Validated No Common Criteria Developer Sophos Plc. (United Kingdom) Availability http://www.sophos.com/products/ free-tools/sophos-anti-rootkit.html The tool can be operated via a simple GUI or from the command line, and context sensitive and commandline help are both available. Note that the same functionality is provided in Sophos’s commercial Endpoint Security and Control product. IA Tools Report 167 Section 4 Anti-Malware Tools SysProt AntiRootkit v1.0.1.0 Abstract SysProt AntiRootkit v1.0.1.0 SysProt AntiRootkit is a free tool to detect and remove rootkits. Some of the key features of the tool are— Type Rootkit detection and removal OS Windows 2000, XP, 2003, Vista XXHidden process detection and removal, Hardware XXHidden driver detection and removal, License Freeware NIAP Validated No XXSSDT hooks detection and removal, XXKernel inline hooks detection and removal, XXSysenter hook detection, XXTCP/User Datagram Protocol (UDP) port information, XXHidden/locked files detection and removal. 168 IA Tools Report Common Criteria Developer swatkat (location unknown) Availability http://sites.google.com/site/ sysprotantirootkit/ Section 4 Anti-Malware Tools TrendMicro RootkitBuster v2.52 Beta Abstract RootkitBuster is a rootkit scanner that scans hidden files, registry entries, processes, drivers, and master boot record rootkits. In addition, RootkitBuster can also clean hidden files and registry entries. RootkitBuster v2.52 Beta Type OS Rootkit detection and removal Windows 2000, Server 2003, XP, Vista Note—Does not support 64-bit OSs Hardware Pentium; 256 MB RAM (512 MB recommended); 50 MB free disk space License Freeware NIAP Validated No Common Criteria Developer TrendMicro Availability http://www.trendmicro.com/download/ rbuster.asp IA Tools Report 169 Section 4 Anti-Malware Tools Usec.at Radix Rootkit Detector Abstract Radix Rootkit Detector detects a large number of publicly available rootkits, effectively revealing them to make it possible to delete them. The tool also repairs the damage rootkits cause. Radix Rootkit Detector uses efficient low-level coding and gathers evidence indicating a rootkit allowing the user to decide whether to attempt to remove the suspected rootkit automatically or to manually repair certain of its effects. 170 IA Tools Report Radix Anti Rootkit 1.0.0.8 Type Rootkit detection and remover OS Windows 2000, XP Hardware 145 KB RAM License Freeware NIAP Validated No Common Criteria Developer Usec.at (Austria) Availability http://www.usec.at/rootkit.html Section 4 Anti-Malware Tools Xfocus IceSword 1.22 Abstract IceSword is a kernel level tool that acts as a kernel proxy, so any action the user takes is a kernel-level action. By enumerating services, registry keys, processes, ports, etc., the user can circumvent the majority of hiding methods employed by rootkits such as Klish, SinAR, BlueB8, and others. IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn’t a “click-here-to-delete-rootkits” product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine. IceSword 1.22 Type Rootkit detection OS Windows Hardware License Freeware NIAP Validated No Common Criteria Developer pjf_ at Xfocus (China) Availability http://mail.ustc.edu.cn/~jfpan/download/ IceSword122en.zip (This is version 1.22.) IceSword has a dedicated following based on its apparent effectiveness in rootkit detection and removal, despite the fact that PCWorld reported that it had received so many complaints about problems using IceSword, that by September 2006, it was compelled to remove the software from the magazine’s download site. IA Tools Report 171 Section 4 Anti-Malware Tools zeppoo 0.0.4 beta Abstract zeppoo allows you to detect rootkits on i386 and x86_64 architecture under Linux, by using /dev/ kmem and /dev/mem. Moreover, it can also detect hidden tasks, (hidden) connections, (some) corrupted symbols, system calls, modules, etc. Anti-rootkit tools that do not use these methods can be fooled easily. zeppoo 0.0.4 Beta Type Rootkit detection OS Linux Hardware License GPL NIAP Validated No Common Criteria 172 IA Tools Report Developer zeppoo (location unknown) Availability http://sourceforge.net/projects/zeppoo Section 4 Anti-Malware Tools 4.3.1.5 Anti-Bot, Anti-Botnet, and Anti-Zombie Tools The tools described in this section are understood to address bots and botnets. [15] IA Tools Report 173 Section 4 Anti-Malware Tools Damballa® Failsafe Abstract Failsafe network security appliances are placed at key Internet access points and network intersections to identify internal activity typical of bot-driven targeted attacks. Damballa notifies clients in real time whenever a new compromise is detected, providing details for administrators, including steps to contain and remediate the compromise. Failsafe appliances provide real-time identification and remediation for bot-driven targeted attacks inside enterprise networks, without requiring malware signature databases or network behavior profiles. Failsafe operates both as an in-the-cloud service and as a standalone product with its own management console for automated capture and analysis of zero-day threats. Failsafe also integrates easily into existing IT and security management systems through a Structured Query Language interface. Damballa appears to intend its Failsafe appliance to be marketed through OEMs, and does not provide a mechanism for direct purchase by end users. 174 IA Tools Report Failsafe Type Bot detection OS Hardware License OEM NIAP Validated No Common Criteria Developer Damballa, Inc. Availability http://www.damballa.com/solutions/index. php Section 4 Anti-Malware Tools SRI International BotHunter Abstract BotHunter is designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model. BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort Version 2, which tracks the underlying actions that occur during the malware infection process—inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication. The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process. We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as dialog-based correlation (patent pending). BotHunter Type Botnet detection OS Tested on Linux—Fedora, Red Hat Enterprise, Debian, Ubuntu, SuSE; FreeBSD 7.0; Mac OS X 10.4 Tiger, 10.5 Leopard; Windows XP Hardware License Freeware (with End-User License Agreement) NIAP Validated No Common Criteria Developer SRI International (sponsored by Army Research Office) Availability http://www.bothunter.net/ IA Tools Report 175 Section 4 Anti-Malware Tools TrendMicro RUBotted (Beta) Abstract RUBotted monitors the computer for suspicious activities and regularly checks with an online service to identify behavior associated with bots. Upon discovering a potential infection, RUBotted prompts the user to scan and clean the computer with an effective anti-virus program. RUBotted (Beta) Type Bot detection OS Windows 2000, XP, 2003, Vista Hardware Pentium 350 MHz, 250 MB free disk space, IPv4 Internet connection License Freeware NIAP Validated No Common Criteria 176 IA Tools Report Developer TrendMicro Availability http://www.trendsecure.com/portal/en-US/ tools/security_tools/rubotted Section 4 Anti-Malware Tools 4.3.2 Malware Prevention, Termination, and Constraint Tools The tools described in this section are understood to perform some function that either prevents malware from entering a system, or terminates its execution, or isolates and constrains it to prevent its execution and/or propagation. IA Tools Report 177 Section 4 Anti-Malware Tools Apocgraphy Security Bulldog Abstract Security Bulldog removes and quarantines all executable content, scripts, and formatted (e.g., HTML) content from inbound emails and Web mails, as well blocking all email that attempts to download content from the Internet (e.g., hyperlinks in spam mail). The tool alerts the user whenever it has quarantined an attachment and provides a risk assessment for that attachment, based on its file type. The tool includes a built-in database of over 7,000 different file types, each of which includes a description of typical contents and associated level of risk. By informing the user of the risk level associated with a quarantined attachment, the tool enables the user to make a more informed decision as to whether to open the quarantined attachment or to delete it without opening. This combination of quarantine and content blocking minimizes the risks posed by file types that may contain embedded malicious code as well as those that act as vectors for transmitting or cross-linking to malicious code. 178 IA Tools Report Security Bulldog Type Email attachment quarantine OS Windows 95, 98, NT, ME, 2000, XP Hardware License Free/Commercial NIAP Validated No Common Criteria Developer Apocgraphy (Canada) Availability http://www.apocgraphy.com/ SecurityBulldog/Default.htm Section 4 Anti-Malware Tools Backfaces Process Master Abstract Process Master is an advanced utility for detecting and terminating (“killing”) hidden processes (such processes are often associated with virus, spyware, or rootkit activity). Advanced viruses, spyware, and rootkits work by changing the results of the API is used by the Windows standard Task Manager. Process Master compares the API results with the results of advanced low-level system techniques to detect the presence of well-known rootkits and the modifications they make. It is intended to be used in conjunction with an anti-virus program, but can also be used without an anti-virus program. Process Master Type Hidden process termination OS Windows 2000, XP, 2003 Hardware 1 MB of free disk space License Commercial NIAP Validated No Common Criteria Developer Backfaces (Ukraine) Availability http://www.backfaces.com/download/ IA Tools Report 179 Section 4 Anti-Malware Tools DiamondCS ProcessGuard Abstract ProcessGuard provides kernel-level protection that prevents the installation of rootkits, malicious drivers, rootkit stealth Trojans, and other malware; determines which programs are executing on the system and logs them for post-infection analysis, controls program execution on a per-program basis, and prevents execution of unknown and unwanted processes; protects processes and services against forced termination, suspension, and crashing; protects processes and executable code against modification; analyzes inter-process behaviors between programs, and determines which programs are attacking others on the system; protects physical memory against modification; prevents firewall leak-test bypass methods; and blocks hooks, code injections, and many other classes of attacks (including Windows file protection attacks and user spoofing attacks) and malware-related behaviors. ProcessGuard can also be used to protect firewalls, anti-virus programs, and other security tools from being attacked by Trojans and viruses. ProcessGuard is available in two versions—a “lightweight” free version with fewer features and which provides weaker protection, and a commercial version that is fully featured. 180 IA Tools Report ProcessGuard Type Kernel-level execution constraint and malware blocking OS Windows 2000, XP, Server 2003 Hardware License Commercial (freeware version available) NIAP Validated No Common Criteria Developer DiamondCS (Australia) Availability http://www.diamondcs.com.au/ processguard/index.php Section 4 Anti-Malware Tools Leithauser Research Trojan Slayer Abstract Trojan Slayer uses machine learning to generate a baseline of the programs that are usually run on the system. Once trained, Trojan Slayer uses one of four enforcement modes to prevent any new processes from running on the system—Report Mode, in which Trojan Slayer informs the user of the program’s presence, and prompts the user to allow or deny execution; Block Mode, in which Trojan Slayer informs the user that it has prevented a specific program from executing; Delete Mode, in which Trojan Slayer blocks and deletes the process file from the system; and Replace Mode, in which Trojan Slayer replaces the suspicious program file with a dummy file that has the same name to prevent the Trojan from restoring itself. Trojan Slayer Type Trojan execution constraint OS Windows 95 and later Hardware License Commercial NIAP Validated No Common Criteria Developer Leithauser Research Availability http://leithauserresearch.com/ts.html IA Tools Report 181 Section 4 Anti-Malware Tools Mocana® NanoDefender® Abstract Mocana’s patent-pending NanoDefender is an anti-malware intrusion detection system designed to prevent malicious code execution in the context of an existing application or process. NanoDefender can shut down any exploit that is in the process of changing the function flow within running code before that exploit has a chance to do any damage. NanoDefender even provides protection from remote and local stack-based overflows, format string attacks/string exploits, heap overflows, and return-tolibc Integer overflows. NanoDefender is focused on recognizing previously unknown attacks, especially on handheld and wireless devices, and on eliminating “false positives.” Unlike other anti-malware products that rely on signatures, NanoDefender is not intended to run as an external program; it is meant to be integrated into the device or application to be protected during that device’s/application’s manufacturing or development process. NanoDefender is basically a set of tools and code designed to “wrap” and “harden” executable images against arbitrary code execution. When a new application is compiled, NanoDefender performs a static analysis of the code to determine the call flow of the executable. In other words, NanoDefender determines which functions call which functions, and which functions make which system calls. Later, at link time, the executable is instrumented to track function calls. Finally, at runtime, NanoDefender runtime code and the (now specially modified) OS together enforce the proper call flow. NanoDefender is CPU architecture- and platformindependent. Linux platforms are supported out of the box, and ports are expected to be easy to other common platforms (e.g., BSD, Solaris, Windows, Mac OS X, as well as a number of special-purpose, 182 IA Tools Report embedded, and real-time operating systems). Processors supported include those from Intel, Hitachi, and several other manufacturers. Mocana’s intended customers are not end users, but device manufacturers, software developers, and OEMs. NanoDefender Type Malware execution prevention OS Hardware License Commercial NIAP Validated No Common Criteria Developer Mocana Corporation Availability http://mocana.com/NanoDefender.html Section 4 Anti-Malware Tools Security Stronghold Active Shield Abstract Active Shield is a heuristic armor that actively protects the PC from spyware, Trojans, adware, trackware, dialers, keyloggers, rootkits, and other kinds of malicious software. Where other antispyware and anti-malware utilities search for malicious programs on the hard drive and registry after the malware has already infected the system, Active Shield works actively like a firewall to intercept malicious programs that try to reach the PC, and block them from installing themselves there. Active Shield Type Malware installation prevention OS Windows 2000, XP, 2003, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Security Stronghold (Russian Federation) Availability http://www.securitystronghold.com/ active_shield.html IA Tools Report 183 Section 4 Anti-Malware Tools Softmedia Publishing SpyCop® Cloak Abstract Cloak protects users’ keystrokes and other private information from sniffing or capture by intercepting and suspending any program—be it keylogger, spyware, virus, Trojan, password recorder, chat recorder, email recorder, screen recorder, Web site recorder, or credit card number recorder—that attempts access to the user’s chats, emails, credit card data, or other private information. The user is then alerted to the presence of the program, and must expressly grant that program permission to operate before SpyCop Cloak will allow it to continue executing. 184 IA Tools Report SpyCop Cloak Type Malware activity interception and suspension OS Windows 2000, XP, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer Softmedia Publishing, Inc. (Canada) Availability http://www.spycop.com/ Section 4 Anti-Malware Tools Usec.at Ushields Systemshields Abstract Ushields Systemshields protects a computer by preventing the installation of spyware, adware, and BHOs (also known as phishing Trojans) by detecting and blocking registry attacks and installation of backdoors. Systemshields also logs all events to enable easier investigation of malware-related intrusion attempts. Ushields Systemshields’ specific functions include— XXProtection of autorun keys from being changed without the user’s permission; Ushields Systemshields Type Spyware installation prevention OS Windows Hardware License Freeware NIAP Validated No Common Criteria Developer Usec.at (Austria) Availability http://usec.at/downloads2/SystemShield_ installer_free.exe http://www.usec.at/ushields.html XXProtection of legacy autorun Keys from having their settings changed; XXProtection of service keys from being deleted or changed; XXProtection of BHO keys to prevent remotely sourced installation of rogue code in the browser; XXProtection of IE settings against being changed to alter the browser’s operation or cause it to download files without the user’s permission; XXProtection of the host file from being edited to prevent address changes on sites visited by the user, i.e., to prevent cross-site scripting type attacks used for identity theft; XXPrevention of legitimate programs from making registry changes with the user’s permission; XXDisplay of all attempted changes by all programs, along with display of outcome of those changes if the user chooses to allow them to occur; XXMechanism for creating a “white list” of programs approved to operate; XXLogging of all changes to the registry as they occur. IA Tools Report 185 Section 4 Anti-Malware Tools 4.3.3 Malware Analysis Tools The tools in this section are used to perform or enable various types of analyses on malware discovered on a system, either in aid of generating malware signatures or incident response/forensic investigation. 186 IA Tools Report Section 4 Anti-Malware Tools DiamondCS Deep System Explorer Abstract Deep System Explorer is an advanced security tool for Windows that examines the deepest levels of the system to provide as much information as possible that reveals different signs of infection by malware. The tool enables the user to target specific areas of the system for scanning at both kernel-mode and usermode levels of the OS. Deep System Explorer can detect live Trojans by using the latest advanced anti-rootkit techniques, including techniques against novel rootkits. The tool is able to detect both existing and future rootkits and hooks without relying on a database of signatures. Deep System Explorer Type Malware indicator detection OS Windows 2000, XP, Server 2003, Vista Hardware License Commercial NIAP Validated No Common Criteria Developer DiamondCS (Australia) Availability http://www.diamondcs.com.au/dse/ Deep System Explorer is available in Standard (less fully-featured, and less expensive) and Professional editions. Standard Edition checks for significantly fewer hidden objects than does Professional Edition. IA Tools Report 187 Section 4 Anti-Malware Tools iDefense Malcode Analysis Pack Abstract The Malcode Analysis Pack contains a number of utilities found by iDefense’s own malware researchers to be necessary for doing rapid malcode analysis. These utilities are— XXGdiProcs—Attempts to detect hidden processes by cycling through all elements in the Process Environment Block’s GDISharedHandleTable and recording their unique process IDs. Malcode Analysis Pack XXShellExt—Adds shell extensions to Windows Explorer’s right-click context menus that enable decompilation of CHM files on demand, display of file names/sizes/MD5 hashes, display of all American Standard Code for Information Interchange (ASCII) and Unicode strings from a target file, display of file names/sizes/hashes; XXSocketTool (SckTool)—Manual TCP Client for probing functionality by sending test/debug text and binary data to a server; XXMailPot—A small mail server “capture pot” tool that captures emails sent by Trojans and mass mailers. MailPot can be used to provide an email “honeypot” that spoofs an Outlook mail server; XXfakeDNS—A minimal domain name system (DNS) server that spoofs a real network DNS server; useful for forcing bots and other malicious code to use the fake DNS server’s services (e.g., email, Web, IRC) to enable observation and analysis; XXSniff_Hit—Specialized HTTP, IRC, and DNS sniffer designed to capture and present target communication data, including traffic on unknown and undefined ports; XXSclog—Provides overviews of unknown shellcode functionality by executing that code within a minimal sandbox implemented via API hooking; XXIDCDumpFix—Helps implement an RE shortcut for working with arbitrarily packed files; provides a way to get a clean readable disassembly of the packed program faster than possible with standard disassemblers; XXShellcode2Exe—Generates executables on the fly by generating hexadecimal or %u-encoded [16] shellcode, then converting it into raw binary, enabling analysis of the resulting new shellcode buffers using Sclog.exe or any debugger; 188 IA Tools Report Type Malicious code analysis toolset OS Windows with Microsoft VBScript RegExp 1.0, mscomctl.ocx, mswinsck.ocx, richtx32.ocx, vbDevKit.dll, and spSubclass.dll. Note—If running an early version of Windows 2000 or Windows 98, the provided Visual Basic 6 runtime libraries must also be installed. The tools also require IE 5 to run. Hardware License GPL NIAP Validated No Common Criteria Developer iDefense Labs (owned by VeriSign) Availability http://labs.idefense.com/software/ download/?downloadID=8 Section 4 Anti-Malware Tools iDefense SysAnalyzer with ProcessAnalyzer Abstract SysAnalyzer is an automated malicious code run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly collect, compare, and report on the actions a binary took while running on the system. The main components of SysAnalyzer compare snapshots of the system over a user-specified time interval. The reason a snapshot mechanism was used compared to a live logging implementation is to reduce the amount of data that analysts must wade through when conducting their analysis. By using a snapshot system, we can effectively present viewers with only the persistent changes found on the system since the application was first run. While this mechanism does help to eliminate a lot of the possible noise caused by other applications, or inconsequential runtime nuances, it also opens up the possibility for missing key data. Because of this, SysAnalyzer also gives the analyst the option to include several forms of live logging into the analysis procedure. SysAnalyzer can automatically monitor and compare running processes, open ports, loaded drivers, injected libraries, key registry changes, APIs called by a target process, file modifications, and HTTP, IRC, and DNS traffic. The SysAnalyzer ProcessAnalyzer tool can create a memory dump of target process, parse it for strings, parse string output for .exe, registry, and URL references, and scan the dump for known exploit signatures. SysAnalyzer supports an API-Logger option to add real-time API logging to the analysis output. The API logger works by injecting a DLL into the target process. Once loaded, the DLL will insert a series of detour-style hooks into specific API calls. When these API are accessed by any code in the process, they will trigger a notification message, which is sent to the main SysAnalyzer interface. SysAnalyzer with ProcessAnalyzer Type Process analysis detection and removal OS Windows 2000, XP Also requires psapi.dll and the following third-party libraries—vbDevKit.dll, spSubclass.dll, mswinsck.ocx, mscomctl. ocx, tabctl32.ocx Note—Designed for Windows Native API, which is not supported by Microsoft; may operate erratically under later APIs supported by Microsoft. Hardware License GPL NIAP Validated No Common Criteria Developer iDefense Labs (owned by VeriSign) Availability http://labs.idefense.com/software/malcode. php SysAnalyzer is designed to operate in conjunction with Process Analyzer, a stand-alone executable that complements SysAnalyzer’s focus on system analysis by focusing on individual processes. IA Tools Report 189 Section 4 Anti-Malware Tools MANDIANT Red Curtain V1.0 Abstract Red Curtain is free software for incident responders that assists with the analysis of malware. Red Curtain examines executable files (e.g., .exe, .dll) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation. 190 IA Tools Report Red Curtain v1.0 Type Malware detection based on binary code analysis OS Windows Hardware License Freeware NIAP Validated No Common Criteria Developer MANDIANT Availability http://www.mandiant.com/software/d/ mrcdld.htm Section 4 Anti-Malware Tools Norman SandBox Analyzer and SandBox Analyzer Pro Abstract The SandBox Analyzer helps security professionals automate their malware analysis process. A complete analysis of the samples is available in a variety of formats, giving the user the freedom to see the information they prefer to see. The most useful outputs are the SandBox summary, available in both text or XML formats, and the API log of system calls. The Analyzer also offers the ability to extract dropped files, memory dumps, and URL content from the SandBox environment. The graphical interface, used for help desk and quick behavioral analysis situations, provides other information windows, including anti-virus engine signature scanning, statistics, lists of dropped files, network connections, and IRC servers found in the batch of suspicious files analyzed. SandBox Analyzer for Linux gives customers an important option to the popular Windows version of the SandBox Analyzer. the live Internet allows analysts to quickly analyze and monitor botnets, network worms, downloaders, and other network-reliant code. SandBox Analyzer and SandBox Analyzer Pro Type Malware analysis OS Analyzer—Windows 2000/2003 or XP Analyzer Pro—Windows 2000/2003 or XP; FreeBSD Linux Hardware Pentium PIII License Commercial NIAP Validated No Common Criteria Developer Norman ASA (Norway) Availability http://www.norman.com/enterprise/ all_products/malware_analyzer/norman_ sandbox_analyzer/en http://www.norman.com/enterprise/ all_products/malware_analyzer/norman_ sandbox_analyzer_pro/en SandBox Analyzer Pro provides deep forensic analysis of executable code. Analyzer Pro is a complete reverse engineering environment developed on the stability of the powerful SandBox platform. Analyzer Pro combines the capabilities of many other reverse engineering tools into one product. The user has full control over the SandBox environment and the execution of the sample being analyzed. Registers, memory, disassembled code, virtual hard disk, and network activity can all be closely monitored and manipulated in order to understand the full potential of the suspicious code. Analyzer Pro includes many advanced debugging features like the ability to take snapshots, simulate execution in reverse, search and dump memory contents, log and save network packets, and many others. The user is able to see and work with code both at the application and kernel levels to see rootkit and exploit code behavior. The ability to connect to IA Tools Report 191 Section 4 Anti-Malware Tools 4.3.4 Other Tools The tools described in this section do not fall into any of the other categories, but are still antimalware specific. 192 IA Tools Report Section 4 Anti-Malware Tools iDefense Multipot v0.3 Abstract Multipot is an emulation-based honeypot designed to capture malicious code that spreads through various exploits across the network. Design specifications for this project mandated that the captures be done in such a way so that the host machine would require only minimal supervision and would not become infected itself. Multipot was designed to emulate exploitable services to safely collect malicious code. XXMultiPot is intended to be used by— XXInternet service providers (ISP), to monitor Multipot v0.3 Type Honeypot for capturing malware code OS Windows Hardware License GPL NIAP Validated No Common Criteria Developer iDefense Labs (owned by VeriSign) Availability http://labs.idefense.com/software/malcode. php their networks, XXCorporate security personnel, to be warned of infections, XXSecurity researchers, to build statistics of Internet health, XXVirus researchers, to collect new samples of malware in the wild, XXHobbyists and students, to learn more about Internet security. IA Tools Report 193 Section 4 Anti-Malware Tools Invisible Things System Virginity Verifier (SVV) Abstract SVV checks important Windows System components, which are usually altered by various stealth malware, in order to ensure system integrity and to discover possible system compromise. SVV— XXVerifies the integrity of in-memory code sections, which are intended to be read-only (in all modern OSs), and thus should not have their code modified by any program. The tool checks whether code sections of important system DLLs and drivers (kernel modules) are different in memory than they are in the corresponding portable executable files on disk; XXAllows for disinfection (malware removal); XXStrives not to generate false positives. 194 IA Tools Report System Virginity Verifier (SVV) 2.3 Type System integrity checking OS 32-bit Windows 2000/XP/2003/Vista Hardware License Freeware NIAP Validated No Common Criteria Developer Invisible Things Lab (Poland) Availability http://www.invisiblethings.org/code.html Section 4 Anti-Malware Tools 4.3.5 Malicious Code Detection and Analysis Services In addition to the tools described above, there are some service providers who specialize in third-party analysis of organizations’ computer systems or software for purposes of malicious code detection. These service providers are listed in Table 4-1, with short descriptions of their service offerings. Table 4-1 Malicious Code Detection and Analysis Services Service Description URL BitDefender Online Scanner Uses BitDefender’s AntiVirus technology to perform a free virus scan over the Internet of any Windows XP (or later) system that uses Microsoft IE to connect to the BitDefender Online Scanner Web site http://www.bitdefender.com/scanner/ online/free.html MessageLabs® Email MessageLabs hosted Email Anti-Virus Service uses a combination of Anti-Virus Service technologies to deliver protection against known and unknown viruses. v5.1 and Web Security To deal with known viruses, perimeter defenses deploy traffic and Anti-Spyware & connection management to identify unwanted email from known Anti-Virus Protection sources, slow it down, and reject it. Unknown viruses are intercepted by MessageLabs’ Skeptic technology. By following Web links, the service also identifies and blacklists virus-hiding URLs. Email Anti-Virus service is compatible with any SMTP-compliant email messaging platform including Exchange Server, Groupwise, and Lotus Notes-Domino. Web Security Anti-Spyware & Anti-Virus combines Web Anti-Virus service comparable to Email Anti-Virus with protection against spyware, via use of multiple scanning engines. MessageLabs is based in the United Kingdom, and owned by Symantec. http://www.messagelabs.co.uk/products/ email/anti_virus.aspx http://www.messagelabs.co.uk/products/ web-security-services/web_spyware Microsoft Windows Live Safety Scanner A Web service provided by Microsoft that performs free scans of Windows XP (or later)-based systems to detect and remove viruses and junk files and to optimize PC performance http://onecare.live.com/site/en-us/default. htm?s_cid=sah New Technology Wave Virus Chaser Application Service Provider Virus Chaser for Web online service does not require the user to download or install any virus program. Instead, the virus scan and remediation are obtained via the Internet. The service uses New Technology Wave’s Virus Chaser technology, described in Section 4.3.1.2. New Technology Wave, Inc., is based in Seoul, Korea. http://www.viruschaser.com/enwi/2_05.jsp Norman Online Protection A subscription software-as-a-service (SaaS) by which Norman intercepts http://www.norman.com/smb/all_ and scans all emails before forwarding them to the subscriber’s mail server. products/email/norman_online_ protection/en Norman SandBox Online Analyzer Norman’s SandBox Analyzer is implemented as SaaS to enable users to analyze file behavior by uploading suspicious files for analysis from anywhere in the world. Norman’s dedicated servers then provide a comprehensive analysis of the activities associated with those files. After a file has been processed, the service issues a report containing a summary, plus in-depth descriptions of the file’s actions in an API log view via a Web interface. http://www.norman.com/enterprise/ all_products/malware_analyzer/ norman_sandbox_online_analyzer/en TrendMicro HouseCall An online service that remotely scans certain PCs and other desktop systems to determine whether it has been infected by viruses, spyware, or other malware, and checks for and fixes vulnerabilities that would allow re-infection. The service has fairly stringent requirements for the hardware, OS versions, and software that must be installed on systems that it will scan, which implies that the service likely downloads certain software to the target system. http://housecall.trendmicro.com/ IA Tools Report 195 Section 4 Anti-Malware Tools Service Description URL VeraCode Binary Executable Analysis Service A third-party analysis of binary software executables for security vulnerabilities and presence of malicious logic, including time bombs and rootkits. VeraCode does not analyze operational computer systems, but rather software prior to its deployment. http://www.veracode.com VirusTotal A free online service provided by Hispasec Sistemas (Spain), VirusTotal enables customers to upload suspicious files of 20 MB or smaller, which are scanned by multiple anti-malware engines to determine whether those files contain malicious code. VirusTotal is not intended as a substitute for anti-virus software installed on the PC, but can be used to augment the installed anti-virus software by enabling the customer to perform on-demand scanning of small files by a wide range of different anti-virus products. http://www.virustotal.com Zombie Detection System A free online service provided by PineApp (an Israeli security appliance vendor) that automatically determines the user’s computer’s IP address. The user then has the option of submitting that IP in an online form, after which the tool checks the IP against its database of known zombies and reports back whether the system is clean, and also the system’s “reputation,” based on the amount of email traffic it generates, and also its level of risk, based on the presence of known zombies on the same network. References 8 The “MIME” referred to is the Multipurpose Internet Mail Extensions format for email attachments. 9 CA formerly stood for “Computer Associates.” 10 GNU is a recursive acronym that amplifies to “GNU’s Not Unix.” GNU itself is not an acronym. The founders of the GNU software project adopted the gnu as its mascot and name, inspired, at least in part, by the Flanders and Swann comic song “The Gnu.” 11 Export outside Russia permitted under licenses from Federal Service for Technology and Export Control of Russian Federation and Federal Security Service of the Russian Federation (Russia’s federal security service). 12 DNA = deoxyribonucleic acid. Obviously, malicious software does not consist of actual DNA. The term is used here to imply that the wholly unique content and properties of a particular piece of malware are comparable to DNA in living species, and can be similarly used to identify that malware. 13 Licenses are available for “home and family” and “business” users. 14 A milter is an extension to the popular open source mail transfer agents Sendmail and Postfix. A milter enables the administrator to insert mail filtering for spam, viruses, etc., into the mail processing chain. For more information see—https://www.milter.org. 196 IA Tools Report http://www.rbltest.com 15 At this time, botnet detection is an area of active research in the academic, industry, and government Science and Technology communities. Botnet detection services are offered by a number of network and Internet service providers for their customers. Because these are not tools or services widely available via the Internet, they have not been included in this report. See Meinel, Carolyn. “Botnets II—Emerging Threats, Tactics, and Defenses,” published by InformIT, 19 December 2008. Accessed 29 May 2009 at http://www.informit.com/articles/printerfriendly. aspx?p=1312663. A number of secure email tools and systems include zombie detection based on detection of quantity of outbound emails based on the recognition that one typical indicator of zombie status is the use of the hijacked system to disseminate large quantities of spam, phishing emails, and malware in email attachments. 16 %u encoding is a technique whereby Unicode bytes are preceded by the character sequence %u. This prefix obfuscates commands to Web servers in a way that prevents those commands from detection by RealSecure, Dragon IDS, and Snort intrusion detection systems. Section 5 u Informational Resources Table 5-1 lists some good general information resources on malware risks and mitigations, including tools. Table 5-1 Reference Materials Resource URL AV.Test [17] White papers http://www.av-test.org/index. php?sub=Papers&menue= 1&lang=0php?sub=Papers&men ue=1&lang=0 Department of the Treasury Inspector General for Tax Administration. While Controls Have Been Implemented to Address Malware, Continued Attention Is Needed to Address This Growing Threat, Final Audit Report 2009-20-045, 10 March 2009. http://www.treas.gov/tigta/auditr eports/2009reports/200920045fr. pdf Virus Bulletin http://www.virusbtn.com/ virusbulletin/archive/index The Wildlist Organization International http://www.wildlist.org VX Heavens http://vx.netlux.org Cooke, Evan, Farnam Jahanian, and Danny McPherson. “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets,” in Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop, Cambridge, MA, 7 July 2005. SANS InfoSec Reading Room. “Malicious Code” Spyware-Assistance.org http://www.usenix.org/event/ sruti05/tech/cooke.html (no password required) —or— http://www.eecs.umich. edu/~emcooke/pubs/botnetssruti05.pdf —or— http://isis.poly.edu/~kurt/fm/ feb_15/sruti05_final.pdf http://www.sans.org/reading_ room/whitepapers/malicious http://spyware-assistance.org Table 5-2 lists guidance documents for addressing malware risks both in operational environments and during the software development and maintenance life cycle. Table 5-2 Anti-Malware Guidance Document or Web Page URL NSA Malicious Code Tiger Team. http://www.nsa.gov/ia/_files/ Guidance for Addressing Guidance_For_Addressing_ Malicious Code Risk, 10 Malicious_Code_Risk.pdf September 2007. National Institute of Standards and Technology (NIST). Guide to Malware Incident Prevention and Handling, Special Publication 800-83, November 2005. http://csrc.nist.gov/publications/ nistpubs/800-83/SP800-83.pdf United States Computer Emergency Response Team (US-CERT). Malware Threats and Mitigation Strategies http://www.us-cert.gov/ reading_room/malware-threatsmitigation.pdf Ohio Office of Information Technology. Malicious Code Security Policy. http://www.oit.ohio.gov/IGD/ Policy/pdfs_policy/ITP-B.4.pdf Pacific Northwest National Laboratory. Guide for Home Computer Security http://www.pnl.gov/media/ homeguide_public.pdf With the increasing prevalence of malware—both on home users’ systems and corporate enterprises, a number of organizations and initiatives are dedicated to researching and preventing the spread of malware. Among the most prominent initiatives are the research arms of the anti-malware vendors discussed in Section 4 of this report. While they perform a vital service to the anti-malware industry, their results feed directly into their own anti-malware products. By contrast, the organizations and initiatives listed in Table 5-3 were established by research institutions and other independent organizations in order to perform or distribute the results of their antimalware research or practices. Please note, Table 5-3 does not attempt to be exhaustive. Instead, it is intended to provide a starting point for readers seeking anti-malware organizations or activities with which to become involved. IA Tools Report 197 Section 5 Informational Resources Table 5-3 Anti-Malware Organizations and Initiatives Organization or Initiative Description URL Microsoft Malware Protection Center This initiative aims to provide a communication mechanism for the Microsoft Malware Response Center to include day-to-day “behind-thescenes” information about malware research at Microsoft. http://blogs.technet.com/mmpc Malware Research Group Provides testing of security applications, malware research, as well as a clearinghouse of information about new forms of malware. Specifically, Malware Research Group tests multiple anti-malware tools suites to measure their comparative effectiveness. http://malwareresearchgroup.com Software Assurance Forum Malware Attribution Working Group This working group of the DHS/DoD/NIST co-sponsored Software Assurance Forum aims to examine the malware threat landscape and attempt to discern novel approaches to malware. https://buildsecurityin.us-cert.gov/swa/ malact.html EICAR [18] Working Group 2 on Anti-Virus Practices EICAR Working Group 2 on Anti-Virus Practices provides a forum for administrators and users of anti-virus products to exchange lessons learned and other information on their experiences. http://www.eicar.org Anti-Malware Testing Standards Organization (AMTSO) This effort aims to provide an objective, quality anti-malware testing methodology that may be adopted by organizations to compare anti-malware products. In October 2008, AMTSO released an initial set of documents relating to testing anti-malware. http://www.amtso.org USENIX Workshops on Offensive Technologies These workshops focus on malware-related vulnerability research, and malware exploit techniques, design, and implementation. The results from this research will be integrated into future anti-malware software. http://www.usenix.org/event/woot09 StopBadware.org This initiative is a partnership among academia, technology industry leaders, and volunteers to provide information on malware trends and distribution. http://www.stopbadware.org Antirootkit.com This initiative is aimed at providing end users with information about rootkits as well as an understanding of the tools that can be used to detect and remove them. http://www.antirootkit.com Antispyware Coalition (ASC) This is a group dedicated to building a consensus about definitions and http://www.antispywarecoalition.org best practices in the debate surrounding spyware and other potentially unwanted technologies. Composed of anti-spyware software companies, academics, and consumer groups, the ASC seeks to bring together a diverse array of perspective on the problem of controlling spyware and other potentially unwanted technologies. Shadowserver Foundation This is an all-volunteer watchdog group of security professionals that gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. http://www.shadowserver.org/wiki Chain of Trust Initiative Developed by the ASC, the National Cyber Security Alliance, and StopBadware.org, the Chain of Trust Initiative will link together security vendors, researchers, government agencies, Internet companies, network providers, and advocacy and education groups in a systemic effort to stem the rising tide of malware. http://cdt.org/press/20090519press.php 198 IA Tools Report Section 5 Informational Resources References 17 AV.Test is a security consulting firm that performs independent tests of anti-virus and other anti-malware tools and products. 18 Originally the European Institute for Computer Antivirus Research, when EICAR expanded its mission beyond anti-virus to address IT security in general, it began designating itself by its acronym only. IA Tools Report 199 SECTION 6 u References and Bibliography The following documents and online resources were consulted in the development of this paper— “Malware threat reported by Swiss cybercrime operation,” in IT Reseller, 13 May 2008. Accessed 25 May 2009 at http://www.itrportal.com/absolutenm/ templates/default.aspx?a=5041&template=printarticle.htm “Microsoft Says Recovery from Malware Becoming Impossible,” in eWeek, 4 April 2006. “Most Chinese Hackers Seek Passwords; More than half of the malware coming out of China aims to steal passwords, and nearly half of those attempts targeted online gaming login information during October,” in InformationWeek, 28 November 2006. “Net threats: Why going online remains risky,” in Consumer Reports, September 2007. “Sapphire/Slammer Worm Shatters Previous Speed Records for Spreading through the Internet,” ScienceDaily Press Release, 5 February 2003. Accessed 30 July 2008 at http://www.sciencedaily.com/ releases/2003/02/030205073007.htm Abrams, Marshall D. and Harold J. Podell. “Essay 4: Malicious Software.” Accessed 25 May 2009 at http:// www.cs.ucr.edu/~brett/cs165_s01/04.pdf Addington, Bill. “Slowing Down the Computer Patch Cycle,” in ComputerWorld, 3 May 2004. Accessed 22 July 2008 at http://www.computerworld.com/ printthis/2004/0,4814,92037,00.html Arora, Ashish, Anand Nandkumar, and Rahul Telang. “Does information security attack frequency increase with vulnerability disclosure? An empirical analysis,” in Information Systems Frontier, Vol. 8 No. 5, 2006, pp. 350-362. Accessed 22 July 2008 at http://www.heinz. cmu.edu/~rtelang/vuln_freq_ISF.pdf Arora, Ashish, Ramayya Krishnan, Rahul Telang, Yubao Yang. “An Empirical Analysis of Software Vendors’ Patching Behavior: Impact of Vulnerability Disclosure.” January 2006. Accessed 10 June 2008 at http://www.heinz.cmu.edu/~rtelang/disclosure_ jan_06.pdf Australian Institute of Criminology. “Malware— viruses, worms, Trojan horses.” High Tech Crime Brief No. 10, 2006. AV.Test. Multiple publications. Accessed 28 June-10 July 2008 at http://www.av-test.org/index. php?sub=Papers&menue=1&lang=0 Avci, Ozan Okan. “Hacking Seminar: Malware Protection Techniques.” Tutorial at RheinischWestfälische Technische Hochschule Aachen (Germany), 10 June 2004. Balepin, Ivan, University of California at Davis. Superworms and Cryptovirology: a Deadly Combination. Barwinski, Mark Andrei. Taxonomy of Spyware and Empirical Study of Network Drive-by Downloads. Naval Postgraduate School Master of Science Thesis, September 2005. Blair, Daniel. “Intro to Malware.” Wellesley College Course Handout, 6 October 2006. IA Tools Report 201 Section 6 References and Bibliography Brandt, Andrew. “The 10 Biggest Security Risks You Don’t Know About,” in PC World, 22 June 2006. Carnegie Mellon University Software Engineering Institute Computer Emergency Response Team Coordination Center (CERT/CC). “Malicious Code Propagation and Antivirus Software Updates.” CERT Incident Note IN-2003-01, 2 July 2003. Accessed 25 May 2009 at http://www.cert.org/incident_notes/ IN-2003-01.html CA Global Security Advisor Team. “2008 Internet Security Outlook,” January 2008. Accessed 31 May 2009 at http://ca.com/files/SecurityAdvisorNews/ ca_security_2008_white_paper_final.pdf Cappelli, Dawn M., Randall F. Trzeciak, and Andrew P. Moore. “Insider Threats in the SDLC [Software Development Life Cycle]: Lessons Learned from Actual Incidents of Fraud, Theft of Sensitive Information, and IT Sabotage,” presented at Software Engineering Process Group Conference, Austin, TX, 27 March 2007. Accessed 31 May 2009 at http://www. cert.org/archive/pdf/sepg500.pdf Cappelli, Dawn M., Tom Caron, Randall F. Trzeciak, and Andrew P. Moore. “Spotlight on: Programming Techniques Used as an Insider Attack Tool,” CERT/CC “Spotlight on” report, December 2008. Accessed 31 May 2009 at http://www.cert.org/archive/pdf/ insiderthreat_programmers_1208.pdf Chen, Thomas M. and Jean-Marc Robert. “The Evolution of Viruses and Worms,” in Statistical Methods in Computer Security (New York, NY: Marcel Dekker, 2004). Accessed 1 August 2008 at http://engr. smu.edu/~tchen/papers/statmethods2004.pdf Chen, Zesheng and Chuanyi Ji. “An InformationTheoretical View of Network-Aware Malware Attacks.” Presented at the 26th Annual Institute of Electrical and Electronics Engineers (IEEE) Conference on Computer Communications (IEEE INFOCOM 2007), Anchorage, AK, 6-12 May 2007; updated 6 May 2008. Accessed 31 May 2009 at http://arxiv.org/ pdf/0805.0802 202 IA Tools Report Chen, Zesheng. Modeling and Defending Against Internet Worm Attacks. Georgia Institute of Technology doctoral thesis, May 2007. Accessed 31 May 2009 at http://Web.eng.fiu.edu/zchen/paper/ PhD_Thesis.pdf Chien, Eric and Péter Ször. “Blended Attacks, Exploits, Vulnerabilities, and Buffer-Overflow Techniques in Computer Viruses,” in Virus Bulletin Conference, September 2002. Accessed 31 May 2009 at http://www. peterszor.com/blended.pdf. Also at http:// securityresponse.symantec.com/avcenter/reference/ blended.attacks.pdf Christodorescu , Mihai and Somesh Jha, University of Wisconsin at Madison. “Static Analysis of Executables to Detect Malicious Patterns,” in Proceedings of the 12th USENIX Security Symposium, Washington, DC, 4-8 August 2003, pp. 169-186. Accessed 18 May 2009 at http://www.cs.wisc.edu/wisa/papers/security03/cj03.pdf Claburn, Thomas. “Malware Doubled In 2007; Next Year Isn’t Looking Better; Analysts with F-Secure and Websense predict an explosive growth of malware, bot attacks, QuickTime exploits, and viruses that target the iPhone,” in InformationWeek, 5 December 2007. Accessed 25 May 2009 at http://www. informationweek.com/news/mobility/showArticle. jhtml?articleID=204701370 Claburn, Thomas. “Adware and Mobile Phone Malware on the Rise,” in InformationWeek, 3 April 2008. Accessed 25 May 2009 at http://www. informationweek.com/news/mobility/messaging/ showArticle.jhtml?articleID=207001403 Claburn, Thomas. “CES Risk: Free USB Flash Drives; Security researchers warn that flash media given away at trade shows—or even bought off the shelf— may contain malware,” in InformationWeek, 7 January 2008. Accessed 25 May 2009 at http://www. informationweek.com/news/security/cybercrime/ showArticle.jhtml?articleID=205210426 Section 6 References and Bibliography Claburn, Thomas. “Fake MP3 Trojan Detected on 27% of PCs; McAfee Avert Labs says more than half a million of the adware programs disguised as media files have been detected in less than a week,” in InformationWeek, 7 May 2008. Accessed 25 May 2009 at http://www.informationweek.com/news/security/ vulnerabilities/showArticle.jhtml?articleID=207600502 Claburn, Thomas. “Google Groups Still Littered with Malware-Infected Explicit Videos; Sunbelt Software CEO Alex Eckelberry says the problem is directly tied to hacks of Google’s CAPTCHA security,” in InformationWeek, 9 April 2008. Accessed 25 May 2009 at http://www.informationweek.com/news/internet/ security/showArticle.jhtml?articleID=207100674 Collins, Michael, Carrie Gates, and Gaurav Kataria. “A Model for Opportunistic Network Exploits: The Case of P2P Worms,” in Proceedings of WEIS 2006. Accessed 22 July 2008 at http://www.cert.org/netsa/ publications/WEIS2006-mcollins-modelopportunistic-07132006.pdf Computer Economics. “2005 Malware Report: The Impact of Malicious Code Attacks.” January 2006. Accessed 28 June 2008 at http://www. computereconomics.com/article.cfm?id=1090 Computer Economics. “2007 Malware Report: Annual Worldwide Economic Damages from Malware Exceed $13 Billion,” June 2007. Accessed 25 May 2009 at http://www.computereconomics.com/page. cfm?name=Malware%20Report Computer Emergency Response Team Coordination Center (CERT®/CC). “Overview of Attack Trends,” April 2002. Accessed 31 May 2009 at http://www.arcert.gov. ar/webs/textos/attack_trends.pdf Computer Security Institute and Federal Bureau of Investigation (CSI/FBI). Ninth Annual Computer Crime and Security Survey 2004. Computer Security Institute and Federal Bureau of Investigation. Tenth Annual CSI/FBI Computer Crime and Security Survey 2005. CSI/FBI. Eleventh Annual CSI/FBI Computer Crime and Security Survey 2006. CSI. CSI Survey 2007: The 12th Annual Computer Crime and Security Survey. CSI. CSI Survey 2008: The 13th Annual Computer Crime and Security Survey. Accessed 29 May 2009 (requires online registration) at http://www.gocsi. com/forms/csi_survey.jhtml Consumer Reports. “State of the Internet Survey 2005.” September 2005. Consumer Reports. “State of the Net 2006.” September 2006. Danchev, Dancho. “Malware—Future Trends.” 31 January 2006. Accessed 29 May 2009 at http://www. linuxsecurity.com/docs/malware-trends.pdf. Also at http://www.windowsecurity.com/whitepapers/ Malware-future-trends.html. Also at http:// packetstormsecurity.org/papers/general/malwaretrends.pdf Downs, Lawrence G., Jr., Commander, USN. “Digital Data Warfare: Using Malicious Computer Code as a Weapon.” Research Report for Air University Air War College, April 1995. Cached version accessed 31 May 2009 at http://citeseerx.ist.psu.edu/viewdoc/ summary?doi=10.1.1.17.5730 Dwaikat, Zaid. “Attacks and Countermeasures.” CrossTalk: The Journal of Defense Software Engineering, October 2005. Accessed 21 December 2007 at http://www.stsc.hill.af.mil/ crosstalk/2005/10/0510Dwaikat.html IA Tools Report 203 Section 6 References and Bibliography Fernandez, José M. and Pierre-Marc Bureau, École Polytechnique de Montréal. “Optimising Malware,” presented at ACM Malware ‘06, Phoenix, AZ, 10-12 April 2006. Accessed 31 May 2009 at http://www. professeurs.polymtl.ca/jose.fernandez/optimisingmalware-malware06.pdf. Also at http://isiom.wssrl. org/index.php?option=com_docman&task=doc_ view&gid=17. Also at http://www.ccsl.carleton.ca/dss/ materials/dss_paper_20060131.pdf Filiol, Eric. “Concepts and Future Trends of Computer Virology,” presented as a Plenary Talk at the 20th International Conference on Computer, Information, and Systems Science, and Engineering, Nice, France, 28-30 September 2007. Accessed 31 May 2009 at http:// www.waset.org/lectures/eric_barcelona07.pdf Garretson, Cara. “One in six PCs could be infected with malware; Study of 300,000 PCs showed 15% contained unwanted programs,” in Network World, 2 November 2007. Accessed 31 May 2009 at http://www. networkworld.com/news/2007/110207-one-in-six-pcs. html Gebhart, Glenn. “Worm Propagation and Countermeasures.” GSEC Practical Assignment, Version 1.4b, 24 February 2004. Accessed 31 May 2009 at http://www.sans.org/reading_room/papers/index. php?id=1410 Geralds, John. “Hacker insurance set to rocket,” on vnunet.com, 14 February 2003. Accessed 31 May 2009 at http://www.vnunet.com/vnunet/news/2121538/ hacker-insurance-set-rocket Filiol, Eric. “Malware of the Future: When Mathematics Work for the Dark Side,” presented at Hack.lu Conference, Grand-Duchy of Luxembourg, 22-24 October 2008. Accessed 31 May 2009 at 2009. hack.lu/archive/2008/Malware%20of%20the%20 Future.pdf Golovanov, Sergey. “Trend of the year: the evolution of malicious programs targeting players of online games,” on Viruslist.com, 26 February 2008. Accessed 31 May 2009 at http://www.viruslist.com/en/ analysis?pubid=204791985 Filiol, Eric. “Metamorphism, formal grammars and undecidable code mutation,” in International Journal of Computer Science, Volume 2 Issue 1 Winter 2007 pg. 70. Accessed 31 May 2009 at http://www.waset.org/ pwaset/v20/v20-1.pdf Goranin, Nikolaj and Antanas Čenys. “Genetic Algorithm-Based Internet Worm Propagation Strategy Modeling,” in Information Technology and Control, Vol. 37 No. 2, 2008. Accessed 31 May 2009 at http://itc. ktu.lt/itc372/Goranin372.pdf Fortinet FortiGuard Center. “The State of Malware Today—The Year 2005.” Accessed 31 May 2009 at http://www.fortiguardcenter.com/report/ roundup_2005.html Gostev, Alexander. “Kaspersky Security Bulletin 2007: Malware Evolution in 2007,” on Viruslist.com, 26 February 2008. Accessed 31 May 2009 at http://www. viruslist.com/en/analysis?pubid=204791987 Gabrielson, Bruce, Karen Mercedes Goertzel, Theodore Winograd, et al. The Insider Threat to Information Systems: A State-of-the-Art Report (U// FOUO). Herndon, VA: IATAC, October 2008. Available upon request to qualified readers from http://iac.dtic. mil/iatac/form.html Government Accountability Office. Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats. Report to Congressional Requestors, GAO-07-705, June 2007. Accessed 31 May 2009 at http://www.gao.gov/new.items/d07705.pdf 204 IA Tools Report Section 6 References and Bibliography Government Accountability Office. Information Security: Emerging Cyber security Issues Threaten Federal Information Systems. Report to Congressional Requestors, GAO-05-231, May 2005. Accessed 31 May 2009 at http://www.gao.gov/cgi-bin/ getrpt?GAO-05-231 Grimes, Roger A. “Spyware slips through the patches—A handful of malware programs wreak havoc on a fully patched Windows XP system,” in InfoWorld, Volume 27 Issue 38, 19 September 2005, pg. 4. Accessed 31 May 2009 at http://www.infoworld. com/d/security-central/ spyware-slips-through-patches-235 Gruber, Christian. “What Does Exploit Mean? and the Sasser Worm.” Seminar presentation, 2 July 2008. Accessed 22 July 2008 at http://staff.cs.utu.fi/opinnot/ kurssit/SemSE/08/What-is-exploit.ppt Helmbrecht, Udo, Bundesamt für Sicherheit in der Informationstechnik (BSI). “Economic Dimension in Cyber Security,” presented at the 36th Session of the World Federation of Scientists International Seminars on Planetary Emergencies, Erice, Italy, 19-24 August 2006. Accessed 31 May 2009 at http://www.bsi.bund. de/bsi/reden/2006_08_18_Erice.pdf Hines, Matt. “Infrastructure threats: Botnets show DoS who’s boss; Malware-infected botnet PCs have overtaken denial-of-service attacks as the top security issue facing ISPs and other Web hosting companies,” in InfoWorld, 18 September 2007. Accessed 31 May 2009 at http://www.infoworld.com/d/security-central/ infrastructure-threats-botnets-show-dos-whosboss-359 IronPort Systems. “Malware Trends 2006.” Accessed 29 June 2008 at http://www.ironport.com/pdf/ wsr_2006-09.pdf IronPort Systems. “Report on Spam, Viruses and Malware, Highlights Trends of 2007 and Predictions for 2008.” Accessed 31 May 2009 at http://www. ironport.com/securitytrends/ IronPort Threat Operations Center and Web Security Report Staff. “The Business Impact of Malware,” in The Web Security Report, September 2006. Accessed 31 May 2009 at http://websecurityreports.messagingnews. com/9_06/index6.html James, Lance. “Trojans and Botnets and Malware, Oh My!” Presented at Schmoocon ‘06. Jenik, Aviram. “Vulnerability Detection Systems,” 5 October 2007. Joint Security and Privacy Committee of the National Electrical Manufacturers Association, the European Coordination Committee of the Radiological and Electromedical Industry, and the Japan Industries Association of Radiological Systems. “Defending Medical Information Systems Against Malicious Software,” December 2003. Accessed at http://www. medicalimaging.org/documents/medical-defending.pdf Jones, Wayne. “Cyber Security Emerging Trends.” 6 May 2008. Accessed 28 June 2008 at http://dns-lessons. lanl.gov/Workshop/JonesOCIOCyberSecurity.pdf Kamluk, Vitaly. “The botnet business,” on Viruslist. com, 13 May 2008. Accessed 31 May 2009 at http:// www.viruslist.com/analysis?pubid=204792003 IBM/Internet Security Systems. “X-Force 2006 Trend Statistics,” January 2007. Accessed 31 May 2009 at https://www-935.ibm.com/services/us/iss/pdf/x_ force_2006_trend_brief.pdf. Also at http://www.iss.net/ documents/whitepapers/X_Force_Exec_Brief.pdf Kannan, Karthik and Rahul Telang. “An Economic Analysis of Market for Software Vulnerabilities.” 3 May 2004. Accessed 22 July 2008 at http://www.dtc. umn.edu/weis2004/kannan-telang.pdf infectionvectors.com. “Disposable Victory,” July 2005. Accessed 30 June 2008 at http://www.infectionvectors. com/library/disposable_iv.pdf Kaspersky Lab’s Virus Encyclopedia. Accessed 19 June 2008 at http://www.viruslist.com/en/viruses/ encyclopedia IA Tools Report 205 Section 6 References and Bibliography Kennedy, Susan. “Common Web Application Vulnerabilities,” in Computerworld, 25 February 2005. Accessed 10 June 2008 at http://www.computerworld. com/printthis/2005/0,4814,99981,00.html Kasslin, Kimmo, F-Secure Corporation. “Kernel Malware: The attack from within,” 22 February 2007. Accessed 31 May 2009 at http://www.f-secure.com/ weblog/archives/kasslin_AVAR2006_KernelMalware_ paper.pdf Proceedings/Abstracts/Linger-abstract.pdf—and— http://www.csiir.ornl.gov/csiirw/09/CSIIRW09Proceedings/Slides/Linger-slides.pdf Linger, Richard C. Function Extraction Technology: Automated Calculation of Computer Program Behavior. Accessed 31 May 2009 at http://www.cert. org/sse/fxmc.html—also at http://www. functionextraction.info/webpage/fxmc5.php Kornakov, Konstantin. “Phishing emerged as a more common exploit than viruses and Trojans,” 31 January 2007. Livingston, Brian. “IceSword Author Speaks Out On ‘Rootkits’,” in Datamation, 14 June 2005. Accessed 25 May 2009 at http://itmanagement.earthweb.com/ columns/executive_tech/article.php/3512621 Kornakov, Konstantin. “Cybercrime losses amount to $14.2 billion,” on Viruslist.com, 30 January 2006. Accessed 31 May 2009 at http://www.viruslist.com/en/ viruses/news?id=178820306 Marx, Andreas, AV-Test.org. “Outbreak Response Times: Putting AV to the Test,” in Virus Bulletin, February 2004. Accessed 31 May 2009 at http://www. av-test.org/down/papers/2004-02_vb_outbreak.pdf Lackorzynski, Tim. “Future Trends of Malware.” 19 June 2006. Accessed 28 June 2008 at http://wwwse.inf. tu-dresden.de/wiki/images/f/f6/PROTimLackorzynski.pdf Mashevsky, Yury. “Watershed in malicious code evolution.” 29 July 2005. Accessed 31 July 2008 at http://www.viruslist.com/en/ analysis?pubid=167798878 Lemos, Robert. “Stormy weather for malware defenses: Virus-writers go after anti-virus vulnerabilities,” in Anti-Virus (reprinted in The Register), 7 March 2007. Accessed 31 May 2009 at http://www.theregister.co.uk/2007/03/07/ storm_malware_defenses/ Masud, Mehedy, Latifur Khan, and Bhavani Thuraisingham. “Detecting Malicious Executables,” class lecture given in the University of Texas at Dallas Department of Computer Science, 10 September 2007. Accessed at http://www.utdallas.edu/~bxt043000/ cs4398_f7/Lecture7.ppt Leyden, John. “Drive-by download menace spreading fast,” in The Register, 23 January 2008. Accessed 30 July 2008 at http://www.theregister.co.uk/2008/01/23/ booby_trapped_Web_botnet_menace/ McMillan, Robert. “Microsoft stats show Web attacks taking off,” in PC World, Volume 26 Issue 7, July 2008, pg. 56. Accessed 31 May 2009 at http://pcworld.about. com/od/securit1/Microsoft-Data-Show-Web-Attack.htm Linger, Richard, Stacy Prowell, and Kirk Sayre, Carnegie Mellon University Software Engineering Institute. Computing the Behavior of Malicious Code with Function Extraction Technology, in Proceedings of the Cyber Security and Information Intelligence Research Workshop, Oak Ridge and Knoxville, Tennessee, 13-15 April 2009. Accessed 31 May 2009 at http://www.csiir.ornl.gov/csiirw/09/CSIIRW09- Messmer, Ellen. “Top 5 security-menace predictions for 2008,” in Network World, 13 November 2007. Accessed 31 May 2009 at http://www.networkworld. com/news/2007/111307-top-security-menace-2008.html 206 IA Tools Report Section 6 References and Bibliography Moore, David, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver, The Cooperative Association for Internet Data Analysis (CAIDA). “The Spread of the Sapphire/Slammer Worm.” CAIDA white paper, 2003. Accessed 25 May 2009 at http://www.caida.org/publications/ papers/2003/sapphire/sapphire.html Multi-State Information Sharing and Analysis Center and United States Computer Emergency Readiness Team (US-CERT). “Current Malware Threats and Mitigation Strategies.” Informational Whitepaper, 16 May 2005. Accessed 31 May 2009 at http://www. us-cert.gov/reading_room/malware-threatsmitigation.pdf Murphy, Edmond J. Counterintelligence Through Malicious Code Analysis. Naval Postgraduate School Master’s Thesis, June 2007. Accessed 26 May 2009 at http://oai.dtic.mil/oai/oai?&verb=getRecord&metadat aPrefix=html&identifier=ADA471421 Nachenberg, Carey. “Generic Exploit Blocking: Prevention, Not Cure.” ISACA Information Systems Control Journal, Volume 2, 2005. Accessed 22 July 2005 at http://www.isaca.org/Template.cfm?Section=H ome&CONTENTID=34328&TEMPLATE=/ ContentManagement/ContentDisplay.cfm NIST National Vulnerability Database. Accessed 26 June 2008 at http://Web.nvd.nist.gov/view/vuln/search ;jsessionid=8ecde241b67a5495fbca99cf826c?execution =e1s1 NSA Malicious Code Tiger Team. Guidance for Addressing Malicious Code Risk, 10 September 2007. Accessed 25 May 2009 at http:// www.nsa.gov/ ia/_files/Guidance_For_Addressing_Malicious_Code_ Risk.pdf Osterman, Michael. “Malware is getting very serious.” Network World 28 September 2006. Accessed 31 May 2009 at http://www.networkworld.com/newsletters/ gwm/2006/0925msg2.html PCWorld download page for IceSword. Accessed 25 May 2009 at http://www.pcworld.com/downloads/file/ fid,64212-order,1-page,1-c,moreantispywaretools/ description.html?&page=11 Peterson, Pat. “Malware Trends: The Attack of Blended Spyware Crime,” in the Web Security report, September 2006. Accessed 31 May 2009 at http:// websecurityreports.messagingnews.com/9_06/ Prince, Brian. “Malware Maelstrom Coming from Russia with Love,” in eWeek, 2 August 2007. Accessed 25 May 2009 at http://www.eweek.com/c/a/Security/ Malware-Maelstrom-Coming-from-Russia-with-Love/ Provos, Niels, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu, Google, Inc. “The Ghost In The Browser: Analysis of Web-based Malware,” in Proceedings of HotBots’07, Cambridge, MA, 10 April 2007. Accessed 1 August 2008 at http://www.usenix.org/event/hotbots07/tech/ full_papers/provos/provos.pdf Provos, Niels, Joe McLain, and Ke Wang. “Search Worms,” in Proceedings of the 4th ACM Workshop on Recurring Malcode (WORM 2006), Fairfax, VA, 3 November 2006. Accessed 31 May 2009 at http://doi. acm.org/10.1145/1179542.1179544 Purser, Jimmy Ray. “Tool Shed—IceSword for Rootkit Detection,” in NetworkWorld, 12 January 2009. Accessed 25 May 2009 at http://www.networkworld. com/community/node/37148 Organisation for Economic Cooperation and Development (OECD). Malicious Software (Malware): Security Threat to the Internet Economy. Ministerial Background Report DSTI/ICCP/REG(2007)5/FINAL, 6 March 2008. Accessed 31 May 2009 at http://www. oecd.org/dataoecd/53/34/40724457.pdf IA Tools Report 207 Section 6 References and Bibliography Reifer, Donald J., Pranjali Baxi, Fabio Hirata, Jonathan Schifman, and Ricky Tsao. “Addressing Malicious Code in COTS: A Protection Framework,” in COTSBased Software Systems (Lecture Notes in Computer Science, Volume 3412/2005; Berlin/Heidelberg, Germany: Springer Verlag, 2005), pp. 157-167. Accessed 31 May 2009 at http://www.springerlink. com/content/lp7l4m3q2nmtncp1/fulltext.pdf Royal Canadian Mounted Police. “Future Trends in Malicious Code—2006 Report.” Information Technology Security Report/Lead Agency Publication R2-002, August 2006. Accessed 29 June 2008 at http:// www.rcmp-grc.gc.ca/tsb/pubs/it_sec/r2-002_e.pdf Rubenking, Neil J. “Rooting out Rootkits,” in PC Magazine, 30 April 2007. Accessed 21 May 2009 at http://www.pcmag.com/article2/0,2817,2123981,00.asp Rutkowska, Joanna. “Introducing Stealth Malware Taxonomy, Version 1.01,” November 2006. Accessed 31 May 2009 at http://invisiblethings.org/papers/ malware-taxonomy.pdf Rutkowska, Joanna. “System Virginity Verifier— Defining the Roadmap for Malware Detection on Windows System,” presented at the Hack in the Box Security Conference, Kuala Lumpur, Malaysia, 28-29 September 2005. Accessed 21 May 2009 at http://www. invisiblethings.org/papers/hitb05_virginity_verifier.ppt Seltzer, Larry. “Spyware Fades to a Dull Roar, but Targeted Attacks Loom.” eWeek, 20 July 2006. Accessed 31 May 2009 at http://www.eweek.com/c/a/ Security/Spyware-Fades-to-a-Dull-Roar-But-TargetedAttacks-Loom/ Shannon, Colleen and David Moore. “The Spread of the Witty Worm.” Presentation to the monthly meeting of the San Diego Regional Information Watch, 15 June 2004. Accessed 31 May 2009 at http:// www.caida.org/publications/presentations/2004/ witty_worm/witty_worm_lisa.pdf 208 IA Tools Report Shannon, Colleen. “Current Network Security Threats: DoS, Viruses, Worms, Botnets.” Presented at the Trans-European Research and Education Networking Association (TERENA) Networking Conference, 23 May 2007. Accessed 31 May 2009 at http://tnc2007.terena.org/core/getfile.php?file_id=460 Sherstobitoff, Ryan. “The Silent Epidemic—The rise of economically motivated malware and targeted attacks.” Presented at the 2007 Boise Information Systems Security Association InfoSec Conference, 25 April 2007. Accessed 16 July 2008 at http://www. boiseissa.org/conference/2007.sherstobitoff.ppt stopbadware.org. “May 2008 Badware Web sites Report.” 24 June 2008. Accessed 31 May 2009 at: http://www.stopbadware.org/pdfs/StopBadware_ Infected_Sites_Report_062408.pdf SwatIt. “Bots, Drones, Zombies, Worms and other things that go bump in the night.” Accessed 30 June 2008 at http://www.swatit.org/bots/ Symantec. Internet Security Threat Report: Trends for July 1 2003 – December 31 2003, Volume V, March 2004. Accessed 31 May 2009 at http://eval.symantec. com/mktginfo/enterprise/white_papers/entwhitepaper_symantec_internet_security_threat_ report_v.pdf Symantec. Internet Security Threat Report: Trends for January 1 2004 – June 30 2004, Volume VI, September 2004. Accessed 31 May 2009 at http://eval.symantec. com/mktginfo/enterprise/white_papers/ ent-whitepaper_symantec_internet_security_threat_ report_vi.pdf Symantec. Internet Security Threat Report: Trends for July 04 – December 04, Volume VII, March 2005. Accessed 31 May 2009 at http://eval.symantec.com/ mktginfo/enterprise/white_papers/ent-whitepaper_ symantec_internet_security_threat_report_vii.pdf Section 6 References and Bibliography Symantec. Internet Security Threat Report: Trends for January 05 – June 05, Volume VIII, September 2005. Accessed 31 May 2009 at http://eval.symantec.com/ mktginfo/enterprise/white_papers/ent-whitepaper_ symantec_internet_security_threat_report_viii.pdf Symantec. Internet Security Threat Report: Trends for July 05 – December 05, Volume IX, March 2006. Accessed 31 May 2009 at http://eval.symantec.com/ mktginfo/enterprise/white_papers/ ent-whitepaper_symantec_internet_security_threat_ report_ix.pdf Symantec AntiVirus Research Center. “Understanding Virus Behavior in 32-bit Operating Environments.” Accessed 20 July 2008 at http://www. Symantec.com/avcenter/reference/virus.behavior. under.win.32.pdf Talbot, Bruce and Danny Lai (for Australian Department of Communications, Information Technology, and the Arts). “Spyware Discussion Paper,” draft May-June 2005. Accessed 31 May 2009 at http://www.dbcde.gov.au/__data/assets/pdf_ file/0008/25973/Spyware_discussion_paper.pdf Telang, Rahul and Sunil Wattal: “Impact of Software Vulnerability Announcements on the Market Value of Software Vendors—an Empirical Investigation,” in Proceedings of the Fourth Workshop on the Economics of Information Security, Cambridge, MA, 2-3 June 2005. Accessed 22 July 2008 at http://infosecon.net/ workshop/pdf/telang_wattal.pdf and at http://www. heinz.cmu.edu/~rtelang/event_study.pdf Telang, Rahul, Ashish Arora, Ramayya Krishnan and Yubao Yang. “An Empirical Analysis of Software Vendors’ Patching Behavior,” January 2006. Accessed 31 May 2009 at http://www.heinz.cmu.edu/~rtelang/ disclosure_jan_06.pdf Trend Micro. “The Trend of Malware Today: Annual Virus Round-up and 2004 Forecast.” December 2003. Accessed 29 June 2008 at http://us.trendmicro.com/ imperia/md/content/us/pdf/threats/securitylibrary/ virusroundup.pdf US-CERT Multi-State Information Sharing and Analysis Center and United States Computer Emergency Readiness Team. “Current Malware Threats and Mitigation Strategies.” 16 May 2005. Accessed 10 June 2008 at http://www.us-cert.gov/ reading_room/malware-threats-mitigation.pdf Vaas, Lisa. “Malware Poisoning Results for Innocent Searches,” in eWeek, 27 November 2007. Accessed 31 May 2009 at http://www.eweek.com/c/a/Security/ Malware-Poisoning-Results-for-Innocent-Searches/ Virus Source Code Database. Accessed 10 June 2008 at http://www.totallygeek.com/vscdb/ Vogt, Tom. “Simulating and optimising worm propagation algorithms.” 29 September 2003 (updated 16 February 2004). Accessed 25 May 2009 at http:// Web.lemuria.org/security/WormPropagation.pdf— and at http://www.rootsecure.net/content/downloads/ pdf/worm_propogation.pdf Wait, Patience. “Malware’s Tangled Roots.” Government Computer News, 21 August 2006. Accessed 31 May 2009 at http://gcn.com/ Articles/2006/08/16/Malwares-tangled-roots. aspx?Page=4 Watson, Brian P. “Bots, Smaller and Wilier, Deepen Their Threat to Networks,” in Baseline, 17 September 2007. Accessed 25 May 2009 at http://www. baselinemag.com/c/a/Intelligence/ Bots-Smaller-and-Wilier-Deepen-Their-Threat-toNetworks/ Wikipedia: “Timeline of notable computer viruses and worms.” Accessed 25 May 2009 at http:// en.wikipedia.org/wiki/ Timeline_of_notable_computer_viruses_and_worms Yachin, Dan. “Zero Hour Virus Protection: Defending Against the Unknown.” IDC White Paper, August 2005. Accessed 30 June 2008 at http://www.vbuster. hu/download/vb_docs/00_zh_esp/idc_def_against_ unknown.pdf IA Tools Report 209 Section 6 References and Bibliography Yegulalp, Serdar. “Review—Six Rootkit Detectors Protect Your System,” in InformationWeek, 16 January 2007. Accessed 21 May 2009 at http://www. informationweek.com/news/software/reviews/ showArticle.jhtml?articleID=196901062&pgno=1 Young, Tom. “Malware enters new phase.” Computing, 7 December 2006, pg. 11. Accessed 31 May 2009 at http://www.computing.co.uk/computing/ analysis/2170413/malware-enters-phase Zhang, Yu, Tao Li, Jia Sun, and Renchao Qin, Sichuan University (China). “An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene,” in Proceedings of the Fourth International Conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications, Shanghai, China, 15-18 September 2008, pp. 364-371. Accessed 31 May 2009 at http://dx.doi. org/10.1007/978-3-540-87442-3_46 210 IA Tools Report SECTION 7 u Definitions of Acronyms and Key Terms Acronym or Term Definition AES Advanced Encryption Standard AIX Advanced Interactive eXecutive AMD Advanced Micro Devices AMTSO Anti-Malware Testing Standards Organization API Application Programming Interface ASC AntiSpyware Coalition ASCII American Standard Code for Information Interchange AV Anti-Virus BGP Border Gateway Protocol BHO Browser Helper Object BSD Berkeley Software Distribution CA formerly an acronym for Computer Associates CAIDA Cooperative Association for Internet Data Analysis CD Compact Disc CERT/CC Computer Emergency Response Team Coordination Center CHM Compiled HTML Help CISSP Certified Information System Security Professional COTS Commercial Off-The-Shelf CPU Central Processing Unit CSI Computer Security Institute DDoS Distributed Denial of Service DLL Dynamic Linked Library DHS Department of Homeland Security DISA Defense Information Systems Agency DNA Deoxyribonucleic acid DNS Domain Name System DoD Department of Defense DoS Denial of Service DOS Disk Operating System dpi Dots Per Inch DTIC Defense Technical Information Center DVD Digital Versatile Disc EICAR European Institute for Antivirus Research IA Tools Report 211 Definitions of Acronyms and Key Terms Acronym or Term Definition ESM External Security Manager FBI Federal Bureau of Investigation FTP File Transfer Protocol FX Function Extraction GB Gigabyte GHz Gigahertz GNU GNU’s Not UNIX GPL GNU Public License GUI Graphical User Interface HIPS Host Intrusion Prevention System HTML HyperText Markup Language HTTP HyperText Transfer Protocol IA Information Assurance IAC Information Analysis Center IATAC Information Assurance Technology Analysis Center ID Identifier IE Internet Explorer ® IEEE Institute of Electrical and Electronics Engineers IM Instant Messenger IMAP Internet Message Access Protocol IO Information Operations IP Internet Protocol IRC Internet Relay Chat ISP Internet Service Provider IT Information Technology LKM Linux Kernel Module LSP Layered Service Provider MB Megabyte MD5 Message Digest 5 MHz MegaHertz MIME Multipurpose Internet Mail Extensions MMS Multimedia Messaging Service MP3 MPEG Audio Layer Three MPEG Moving Picture Experts Group NAS Network Attached Storage 212 IA Tools Report Definitions of Acronyms and Key Terms Acronym or Term Definition NATO North Atlantic Treaty Organization NAVSEA Naval Sea Systems Command NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology NFS Network File System NNTP Network News Transfer Protocol NSA National Security Agency OECD Organisation for Economic Cooperation and Development OEM Original Equipment Manufacturer OES Open Enterprise Server OLE Object Linking and Embedding OS Operating System P2P Peer-to-Peer PC Personal Computer PDA Personal Digital Assistant PDF Portable Document Format POP Post Office Protocol PUP Potentially Unwanted Program RAM Random Access Memory RFID Radio Frequency Identification ROM Read-Only Memory RTF Rich Text Format SaaS Software-as-a-Service SD SecureDigital SDK Software Development Kit SDLC Software Development Life Cycle SSL Secure Sockets Layer SMS Short Message Service SMTP Simple Mail Transfer Protocol SP Special Publication SVV System Virginity Verifier TCP Transmission Control Protocol TERENA Trans-European Research and Education Networking Association TPM Trusted Platform Module UDP User Datagram Protocol IA Tools Report 213 Definitions of Acronyms and Key Terms Acronym or Term Definition URL Uniform Resource Locator US-CERT United States Computer Emergency Response Team USB Universal Serial Bus VxMS Veritas Mapping Service XML eXtensible Markup Language XSS Cross-Site Scripting 214 IA Tools Report SECTION 8 u Definitions Demilitarized Zone A separate network that hosts an organization’s Internet-facing computers and services. By enforcing logical or physical separation, external-facing hosts and the organization’s intranet, malware, and other compromises that occur in the demilitarized zone are prevented from spreading to systems on the internal network. False negative Refers to the result of an anti-malware detection scan that fails to indicate existing malware. False positive Refers to the result of an anti-malware detection scan that indicates the presence of malware that is not actually present. Heuristic detection A mechanism designed to detect new or unknown malware using a variety of scanning, including running the malware in a virtual sandbox. One of the primary drawbacks of heuristic detection is that it is more prone to false positives. In the wild malware that get installed on operational systems (rather than those types of malware that are embedded, i.e., built, into systems during their development, distribution, or initial pre-operational installation). Polymorphic virus Traditionally, viruses infect files with identical copies of themselves. Through polymorphism, viruses use some form of mutation or obfuscation to slightly alter their own executable images before infecting other files. The mutated/obfuscated executable is functionally equivalent to the original virus, but produces a different signature, making it difficult for signature-based anti-malware scanners to recognize it. Virus-writers may specify the rate at which a virus mutates, with a longer mutation rate causing the virus to modify itself at the same rate (or faster) as anti-virus suppliers are typically able to add signatures generated from the older version(s) of the virus into their signature databases. In this way, the polymorphic virus always keeps “one step ahead” of the available signatures. Propagation Currently infecting operational systems and spreading over the Internet. This is by contrast with malicious code developed for observation in an isolated laboratory. The method through which certain categories of malware spread from one system to another. The malware types that most commonly propagate are viruses and worms. There are various propagation vectors, including— Malware XXNetwork-based propagation, in which the malware Software or firmware intended to perform an unauthorized process that will have adverse impact on one or more required properties of the targeted system, including (but not limited to)— confidentiality, privacy, integrity, availability, dependability, usability, and performance. Definitions of the numerous individual categories of malware are provided in Section 2.1, Table 2-1 “Malware Types.” Malware is also referred to as malicious code. Sometimes the term virus is inaccurately used to designate all categories of identifies and migrates to another host on the same a computer network; XXExecution-based propagation, in which an infected file is opened or executed and the execution of opener application or the infected executable causes the malware to spread and infect additional files; IA Tools Report 215 Definitions XXDisk-based propagation, in which the malware Zero-day infects a removable data storage medium (CD, thumb drive, external hard drive, etc.) and spreads to the next system on which that medium is connected/inserted; XXTrojan-based propagation, in which the malware is hidden within a seemingly legitimate software application and propagates when a person downloads that application then shares it with someone else. Zero-day malware is a previously unknown instance of malware for which specific anti-malware signatures are not yet available. Because signaturebased anti-malware tools can only defend against malware for which samples have been obtained and signatures generated, signature-based tools are not effective against zero-day viruses. Quarantine A mechanism used by anti-malware tools to isolate and constrain malware so that it cannot propagate further or reach the operating system or any other software on the system. To achieve isolation and constraint, the anti-malware tool moves the files it suspects of being infected to a specific location in the file system that is inaccessible by any process on the system other than the anti-malware tool itself. Scanning The process by which anti-malware tools systematically review and observe the contents of the hard disk, memory, and other areas of a computing system to locate suspected malware. Signature A pattern of bytes that is unique to a specific piece of malware’s binary code. When signature-based anti-malware tools scan for malware, they search files on the system for the presence of these specific patterns. Virus A type of malware that replicates itself by attaching its program instructions to an ordinary host program or document. When the host program is executed, the virus’ instructions are also executed. As noted, the term virus is sometimes used less accurately to refer to any type of malware that is “delivered” to an operational system or to any type of self-propagating malware, including worms and some types of Trojans. 216 IA Tools Report Section 9 u Additional Information This section contains additional information that may be of interest to the reader. This information was referred to in the main part of this report. 9.1 Economic Rationale for Malware Attackers The following have been determined to be the most prevalent economic motivators and enablers for attackers who disseminate or embed malware— XXEmail costs virtually nothing to send. XXHigh-speed Internet connections and increased bandwidth allow for the mass creation of compromised hosts that comprise a self sustaining attack system. XXMalicious actors can replace hosts that have been disconnected or disinfected. XXAll the costs of dealing with spam and malware 9.2 Objectives of Botnet Attackers are passed on to the Internet provider and the “unwilling” recipients, who are charged for protective measures, bandwidth, and other connection costs, on top of the costs of repairing the computer or having lost money to scams. XXCriminals minimize their costs to the extreme: they pay no tax, escape the cost of running a genuine business, and pay commission only to others in criminal circles worldwide and at a comparatively low price. The cost to malicious actors continues to decrease as freely available email storage space increases. XXUse of botnets makes it easier and even cheaper to send malware through email. XXCriminals often have access to cheap techniques for harvesting email addresses as well as easy access to malware and outsourced spamming services. XXAnti-detection techniques are constantly evolving to make it cheaper to operate. XXMalicious actors can easily switch ISPs if their activity is detected and their service terminated. XXMalware itself and the compromised computers being used to further launch malware attacks are a low cost, readily available, and easily renewable resource. The following have been observed to be typical objectives of attackers who establish botnets— XXTo locate and infect other information systems with bots and other malware, thereby maintaining and building their supply of new bots to achieve other objectives; XXTo conduct distributed denial of service attacks (DDoS); XXTo create a service that can be bought, sold or rented out; XXTo rotate IP addresses under one or more domain names for the purpose of increasing the longevity of fraudulent Web sites (e.g., phishing and/or malware sites); XXTo send spam that distributes more malware; XXTo steal sensitive information from each compromised computer that belongs to the botnet; XXTo host a malicious phishing site (often in conjunction with other members of the botnet to provide redundancy); XXTo run additional attack code. IA Tools Report 217 Additional Information 9.3 Worms: How They Are Constructed, How They Operate The typical worm has the following components— XXReconnaissance module—Scans the network/ Internet for vulnerable hosts. This may be done in real-time, or in advance (see description of worm propagation methods below); XXAttack module—May exploit from one to many known vulnerabilities in a potentially vulnerable host; XXCommunication module—Enables the worm to communicate with other worms or to transfer information to a central command module that ensures the correct functioning of the communication module; the command module locates neighboring worms for communication. Worms propagate via a variety of vectors that can be categorized either as scan-based or topology-based. Scan-based worms (i.e., those using scan-based vectors) probe the network’s entire IP address space or the routable address space while simultaneously scanning as many hosts as it can to find a vulnerable host. Usually this is accomplished by the attacker flooding the targeted hosts with requests from randomly spoofed source IP addresses. A vulnerable victim, believing the requests are legitimate, will respond to each spoofed address. When it finds a vulnerable host, the worm sends out a probe to infect it, then transfers a copy of itself to the infected host. The infected host then runs the worm, which repeats the process to find and infect other victims. For example, Sapphire/Slammer (2003) used a single UDP packet to scan, infect, and replicate itself to victims. Worm scanning techniques used include— XXRandom scanning, which selects victim IP Version 4 addresses at random, was used by Code Red and Slammer. DNS random scanning uses the DNS infrastructure to locate likely victims by guessing DNS names instead of using IP addresses. 218 IA Tools Report Researchers have modeled a DNS random scanning worm that has propagated successfully on an IPv6 network. XXSelective random scanning, which reduces the potential scanning space by using additional information such as the Team Cymru Bogon list (see: http://www.cymru.com/Documents/bogonlist.html) and/or the IANA’s IPv4 address allocation map (see: http://www.iana.org/ assignments/ipv4-address-space), was used by the Slapper worm. XXRoutable scanning, in which border gateway protocol (BGP) routing tables form the basis for building scan lists, is a special case of selective random scanning; at least two worms, The Class-A Routing Worm” and the “BGP Routing Worm” have been developed in labs to study the propagation of routable scanning worms. XXLocalized scanning, which preferentially scans for hosts in the infected host’s “local” address space, was used by Code Red II and Nimda worms. XXHitlist-scanning, which requires the compilation of a list of vulnerable machines before the worm is released; these machines will be the first targeted when the worm is launched. A more sophisticated form of hitlist-scanning is importance scanning. The term “importance scanning” comes from the concept of importance sampling in statistics. Importance-scanning worms optimally exploit the non-uniform distribution of vulnerable hosts by probing the Internet according to the known or statistically likely distribution of vulnerable hosts, which focuses the scans on the most relevant parts of the address space. If a complete list of vulnerable hosts can be assembled, importancescanning worms can reach the fastest rates of infection, thereby becoming flash worms. A flash worm spreads to every machine on its list of IP addresses of known-vulnerable machines; they spread extremely fast because they target only vulnerable hosts, so their success rate is extremely high. To date, importance-scanning has been modeled in research labs, but not reported “in the wild.” Additional Information XXSearch-based scanning—Search-based worms are a variant of hitlist-scanning worms. These worms have emerged as random scanning and its variants have become increasingly detectable by anti-malware countermeasures. Search-based worms use Google and other search engines to automate submission of carefully crafted search queries to search engines such as Google, and build a list from the returned results of those queries of likely vulnerable Web servers to which they then copy themselves. XXTopological-scanning—In contrast to scan-based worms, topology-based or topological-scanning worms target the topological neighbors of their initial hosts, which they discover by a variety of means. For example, the Morris worm (1988) retrieved the neighbor list from a host’s local UNIX /etc/hosts.equiv and .rhosts files plus individual users’ .forward and .rhosts files. An email virus is a variant of a topological-scanning worm. When an email user receives a message and opens the attachment containing the virus, the virus infects the user’s machine then sends copies of itself to all addresses in the user’s email address book. 9.4 Malicious Anti-malware Tools ”...be careful not to download a clean-up tool from a vendor you’ve never heard of before. Some criminals are promoting bogus...tools and have set up professional-looking Web sites to scam the unwary.” — Graham Cluley, Sophos [19] A number of alleged freeware anti-malware tools have been discovered to contain malicious logic. The reader is encouraged to perform due diligence on any anti-malware tool before installing it, and to be particularly wary of freeware tools produced by developers that go to lengths to obfuscate their identities. Due diligence should begin with an investigation of the tool’s reputation among known, reputable security organizations and malware experts. [20] names of all tools on one of the many long lists of freeware anti-malware tools published on the Internet. Just a few of the names that turned up in reports from numerous reputable security publications, anti-malware vendors, and security experts: Internet Antivirus Pro (for which an antidote was issued by Microsoft’s Malware Protection Center), Antivirus XP 08 (a password-stealing Trojan), Personal Antivirus (whose perpetrators cynically used iFrame Search Engine Optimization poisoning attacks to redirect Google searches for information on the Air France Flight 447 disaster as their mechanism for installing the rogue anti-malware Trojan on Google users’ PCs). The reader will discover that organizations like Spyware-assistance.org routinely publish lists of tools that have been discovered to be malicious and/or to install spyware. Some freeware tools have clear indicators of their possible maliciousness. For example, there is a very impressive-sounding anti-malware tool offered by a software company that has a Web site that bears all the earmarks of a textbook malicious Web site. In another case, one tool appears to be a legitimate anti-spyware tool until one reads the developer’s tool description, in which he admits to (read: brags about) also having produced a rogue anti-malware scanner that was expressly designed to generate false positives in order to scare users. Such a tool could at best be useful to a legitimate anti-malware tool vendor that wished to attract customers by running free over-the-Internet scans (as described in Section 4.3.5), which would always find that the scanned computer was infected. The vendor would, of course, only provide remediation to users who paid for full tool licenses (this is the standard business model even of the legitimate tool vendors who offer free over-the-Internet scans). Google is a particularly useful tool for investigating anti-malware tools. It is very easy to turn up reports of suspected malicious tools by simply Googling the tools’ names. The authors of this report entered the IA Tools Report 219 Additional Information The value of this false-positive-generating rogue anti-malware scanner is left to the reader. The potential use by hackers or cybercriminals who operate as Graham Cluley describes in his quotation above—encourage users to visit their Web sites for a free scan that will detect and “clean up” malware; in some cases, the free scanner appears in a pop-up window on the user’s screen and he/she doesn’t need to navigate anywhere. If the user takes advantage of the free scan, the result is a background download of spyware, Trojans, bots, or other malware to the users’ systems, or the offer of a free download of an antimalware tool that in fact contains or constitutes malicious code. For further information on the problem of rogue antimalware tools, see— XXNichols, Shaun. Fake antivirus attacks on the rise, on vnunet.com, 17 September 2008. Accessed 31 May 2009 at http://www.vnu.co.uk/vnunet/ news/2226211/fake-antivirus-attacks-balloon XXEarly, Erin. “The Rise and Rise of Rogue Security Software,” on Help Net Security, 22 December 2008. Accessed 31 May 2009 at http://www.netsecurity.org/article.php?id=1193 XXRogue security software, on WikiPedia. Accessed 31 May 2009 at http://en.wikipedia.org/wiki/ Rogue_software XXKrebs, Brian. “Massive Profits Fueling Rogue Antivirus Market,” in The Washington Post, 16 March 2009. Accessed 31 May 2009 at http://voices. washingtonpost.com/securityfix/2009/03/obscene_ profits_fuel_rogue_ant.html XXKrebs, Brian. “Rogue Antivirus Distribution Network Dismantled,” in The Washington Post, 20 March 2009. Accessed 31 May 2009 at http://voices. washingtonpost.com/securityfix/2009/03/sunlight_ disinfects_rogue_anti.html XXSASIs-Securityspot. Accessed 31 May 2009 at http://sasis-securityspot.blogspot.com/ 220 IA Tools Report References 19 Graham Cluley, Sophos. “Conficker’s impact on Google Search,” on his blog, 31 March 2009. Accessed 31 May 2009 at http://www.sophos.com/blogs/gc/g/2009/03/31/ confickers-impact-google-search 20 Names to look for include Mikko Hypponen, Steve Trilling, Ernst Leiss, Graham Cluley, Paul Ducklin, Péter Ször, Roger Thompson, Matt Fearnow, David Chess, Nick Fitzgerald, and Joe Wells.